[cap-talk] Dan Bernstein's qmail security lessons paper
James A. Donald
jamesd at echeque.com
Mon Dec 17 04:31:41 EST 2007
James Donald writes:
> > > For things like the webserver, what can help a lot
> > > is writing stuff in a language that is immune from
> > > buffer overflows and the like.
Bill Frantz wrote:
> Yes, SQL injection attacks aren't based on taking over
> the web server. They depend on it failing at the
> devilishly hard problem of quoting an arbitrary string
> so some j-random SQL parser will treat it as data and
> not instructions.
Which is not possible in general. To safely escape user
supplied strings, one needs to use an escape routine
supplied by the people who supply the parser. If one
uses ones own custom escape routine, or an escape
routine that was written for a different database using
a different parser ....
This is a major and basic flaw in SQL, a reflection of a
more basic problem - that interactions between separate
threads on possibly separate machines must ultimately
take the form of a data stream, and we don't have any
good standard way of structuring a stream into calls and
arguments, or rather far too many good standard ways.
More information about the cap-talk
mailing list