<div dir="ltr"><div>Doesn't it depend on where and why you intend to execute the code? Obviously some SQL is more at risk for exploit when the input is from the screen on a web page than if you were running parameterized code in a controlled batch environment. Or if you were writing code generators (which is what I happen to do) which won't be run by the general public.</div>
<div> </div>
<div>Incidentally, couldn't input field edits prevent such exploits prior to interpolation?<br></div>
<div class="gmail_quote">On Fri, Sep 26, 2008 at 11:38 AM, D'Arcy J.M. Cain <span dir="ltr"><<a href="mailto:darcy@druid.net">darcy@druid.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">On Fri, 26 Sep 2008 11:00:59 -0500<br>
<div class="Ih2E3d">"Michael Mabin" <<a href="mailto:d3vvnull@gmail.com">d3vvnull@gmail.com</a>> wrote:<br></div>
<div class="Ih2E3d">> So we can drop a table in an in clause? How is this a use case. Cartoons<br>> are funny but actual proof that this example using an in-clause provides an<br>> exploit would be more helpful I think.<br>
<br></div>I'm not sure what proof you require. If you program such that users<br>can enter arbitrary stings into your database it is obvious that the<br>exploit in that cartoon can be used against you. And the point is that<br>
it has nothing to do with IN clauses. It can be any SQL. Go read that<br>cartoon carefully. It says nothing about IN clauses. Consider;<br><br>"UPDATE student SET name = '%s' WHERE student_id = %s" % (name, id);<br>
<br>Now set name to "Robert'; DROP TABLE student;" and see what happens if<br>you feed that to your SQL database. Hell, just put "';" in the string<br>for fun.<br><font color="#888888"><br>--<br>
D'Arcy J.M. Cain <<a href="mailto:darcy@druid.net">darcy@druid.net</a>> | Democracy is three wolves<br><a href="http://www.druid.net/darcy/" target="_blank">http://www.druid.net/darcy/</a> | and a sheep voting on<br>
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.<br></font></blockquote></div><br><br clear="all"><br>-- <br>| _ | * | _ |<br>| _ | _ | * |<br>| * | * | * |<br></div>