[Webappsec] Automatically detecting injections
Jeff Williams
jeff.williams at owasp.org
Mon Apr 28 21:41:00 EDT 2008
> it's really weird and unwise to be claming 'total security' for any
> sort of given pattern _anyway_, i'm a bit surprised to see 'owasp'
> taking that stance, but consider of the underlying sql statement were:
>
> --
> exec (?)
> --
I'm not trying to nitpick here, but I really don't consider this injection.
To me, the core of any injection vulnerability is that the meaning of the
query or command is changed before it gets to the interpreter. Here, the
meaning is unchanged.
I don't think I'm making an outlandish claim here, by the way. Actually,
it's almost a tautology. You can't have SQL injection in a parameterized
query because, by definition, a parameterized query doesn't allow the
attacker to change the meaning of the query.
--Jeff
More information about the Webappsec
mailing list