[Owasp-Malaysia] Mysql.com get sql injection

David Fetter david at fetter.org
Mon Mar 28 12:09:39 EDT 2011


On Mon, Mar 28, 2011 at 11:02:26PM +0800, Hasanuddin Abu Bakar wrote:
> Nice one
> http://hackingexpose.blogspot.com/2011/03/mysqlcom-hacked-via-sql-injection-vuln.html

Now remember, kids, prepared statements always beat string
manipulation...unless you're the attacker, in which case it's 180
degrees different.

I leave it as an exercise for the student to infer what this says
about ORMs which generate queries via the aforementioned string
manipulation.

Cheers,
David.
-- 
David Fetter <david at fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter at gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate


More information about the Owasp-Malaysia mailing list