-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
____/ Lusotec on Wednesday 12 August 2009 09:46 : \____
>
>
> Roy Schestowitz wrote:
>> Lusotec wrote:
>>> XSS security vulnerabilities are in the scripts driving the site. XSS
>>> (and also SQL injections) vulnerabilities are the result of coding flaws
>>> in the script where the inputs are not properly checked and sanitized.
>>> The OS and web server has nothing to do with it.
>>
>> I've read somewhere that a good database can prevent this too, at a lower
>> level. In the context of Windows servers, this was states as well.
^d
> I have no knowledge of any SQL server that has any *active* protection
> against SQL injection in their standard configuration.
>
> Some SQL DB servers provide things like stored procedures and parametrized
> queries that allow the developers to avoid SQL injections vulnerabilities
> but these have to be *correctly* used by the developer to have any positive
> effect.
>
> There are automated protections against SQL injections that work as a filter
> in front of the server and only pass to the server SQL queries that are
> considered safe. This approach as its disadvantages but with all the crappy
> scripts (and developers) out there it may just be what the doctor ordered.
>
> Regards.
Will these stored procedures permit an intruder to gain control over the
system?
- --
~~ Best of wishes
Roy S. Schestowitz | "ASCII stupid question, get a stupid ANSI"
http://Schestowitz.com | Open Prospects | PGP-Key: 0x74572E8E
Tasks: 140 total, 1 running, 139 sleeping, 0 stopped, 0 zombie
http://iuron.com - knowledge engine, not a search engine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqCyqoACgkQU4xAY3RXLo68gQCcCYGswsBdZRw+gDjGk2pj2HSs
1NoAn0zupwku5CzbkYk0XXQbf2N8y1P8
=DawO
-----END PGP SIGNATURE-----
|
|
