[thelist] Need help with a simple regex (Monday annoyance)

Ken Schaefer Ken at adOpenStatic.com
Mon Apr 4 22:34:10 CDT 2005




--
www.adOpenStatic.com/cs/blogs/ken/ 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Matt Warden
: Subject: Re: [thelist] Need help with a simple regex (Monday annoyance)
: 
: Jonathan,
: 
: On Apr 4, 2005 7:42 PM, Jonathan Dillon <jdillon at boehm-ritter.com> wrote:
: > I have a field in an application that has a single text input that can
: > search multiple datatypes with the use of a pulldown.  Easy to hook it
: > up, but now I want to make sure that SQL injection attacks are 
: > completely not possible.
: 
: I think we showed in an earlier thread that you can basically guard
: against this by escaping single quotes. There was some discussion also
: about encoding attacks, but it seemed to be largely theoretical, as we
: could not get an example of the attack to work.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Unfortunately, none of us (AFAIK) are experts on this. If people like Michael
Howard (author of Writing Secure Code [1]) and David Litchfield (NGSS - he's
discovered how many vulnerabilities in various pieces of software? [2]) say
it's possible, then I take their word for it (especially over people here who
say "they can't get it to work" - no offence intended, but I think the former
two know a lot more about what they are talking about).

Cheers
Ken

[1] http://www.amazon.com/exec/obidos/ASIN/0735617228/
[2] 
http://www.google.com/search?q=site%3Amicrosoft.com+David+Litchfield
http://www.google.com/search?q=site%3Aoracle.com+David+Litchfield
http://www.google.com/search?q=site%3Aibm.com+David+Litchfield


More information about the thelist mailing list