[Owasp-appsensor-project] SQL injection attack

Dennis Groves, MSc dennis.groves at owasp.org
Sat Feb 11 10:46:22 UTC 2012


On 11 Feb 2012, at 10:16, Emmanouil Prekas wrote:

I have not programmed in 20 years - but perhaps I can still be of help.

> Hello all
> I have this input :
> station=101 OR 1=1

That is not a valid SQL statement, so this could be part of the problem.
A valid SQL statement always ends is a semi-colon. ";"

assuming you made a typo in this email, then 'station=101 OR 1=1;'
is indeed an attempt at SQL Injection for a given input however there 
are two additional things that are going on:

a) this field must actual be part of a SQL query
b) input validation must not be done on that field

All three conditions must be true or you will get a 'false' result.

> When i am checking if it is sql injection command with the command
> boolean
> verifyattack=org.owasp.appsensor.AttackDetectorUtils.verifySQLInjectionAttack(station);

As for the incredible software written by the contributors of OWASP; I 
honestly can not say as my involvement in the project is that of an 
architect interested in the patterns and principles.


Dennis

-- 
[Dennis Groves](http://www.owasp.org/index.php/User:Dennis_Groves), MSc
[dennis.groves at owasp.org](dennis.groves at owasp.org)

*This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy 
of
this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, 
Mountain
View, California, 94041, USA.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20120211/f6de0289/attachment.html>


More information about the Owasp-appsensor-project mailing list