> From: Nathan M. Andelin
> 
> Thanks for pointing this out.  I still feel that OS/400 systems are
less
> vulnerable to Web hacks than most other systems, but I see the
scenario
> posed in the article would be possible.  Developers who are using SQL
in
> their applications should beware.

You're right of course that we should be aware that people can hack our
systems, but this particular problem is more a result of really bad ASP
programming than of anything else.

The following things are required:

1. An "authentication" database with passwords in the clear.
2. A query against a database built from a string rather than a prepared
statement.

Either of these can be (and should be) gotten around easily.  In fact,
injected SQL is only an issue when you are building your SQL statements
from strings.  Prepared statements avoid this issue entirely, and
they've been available in JDBC for quite some time now.

I'm pretty sure ASP programming supports prepared statements (if they
don't that's a significant weakness).  If they do and you still write
code like that shown in the article, you probably shouldn't be working
in a corporate environment.

Joe


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.