Comments on: We Don’t Need SQL Injection Anymore… http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/ Giorgio Maone's answers to the Web, the Universe, and Everything Tue, 02 Dec 2008 12:07:24 +0000 http://wordpress.org/?v=2.2.3 By: Jan http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8254 Jan Sat, 14 Jun 2008 11:26:59 +0000 http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8254 It's emerging software, no support, use at your own risk. For me it's intresting idea which needs work. It’s emerging software, no support, use at your own risk. For me it’s intresting idea which needs work.

]]> By: Giorgio http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8253 Giorgio Sat, 14 Jun 2008 10:55:49 +0000 http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8253 @<b>Slim Amamou</b>: yes, NYT's DBSlayer is quite similar in concept. But NYT folks are running their bridge as a separate and <em>private</em> load balancing daemon (port 9090 by default), and they don't suggest to query it directly from the client. Their <a href="http://code.nytimes.com/projects/dbslayer/wiki/CodingWithTheSlayer" target="_blank" rel="nofollow external" rel="nofollow">samples</a> are in PHP and Ruby, <em>server side</em> indeed. @Slim Amamou:
yes, NYT’s DBSlayer is quite similar in concept.
But NYT folks are running their bridge as a separate and private load balancing daemon (port 9090 by default), and they don’t suggest to query it directly from the client.
Their samples are in PHP and Ruby, server side indeed.

]]> By: Slim Amamou http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8251 Slim Amamou Sat, 14 Jun 2008 10:26:47 +0000 http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8251 looks like dbslayer for ODBC http://code.nytimes.com/projects/dbslayer looks like dbslayer for ODBC http://code.nytimes.com/projects/dbslayer

]]> By: links for 2008-06-13 | Yostivanich.com http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8244 links for 2008-06-13 | Yostivanich.com Fri, 13 Jun 2008 07:34:21 +0000 http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8244 [...] hackademix.net » We Don’t Need SQL Injection Anymore… This is stupid, allowing javascript to exucute sql queries, client side is rife with issues. (tags: javascript security sql ibm) [...] […] hackademix.net » We Don’t Need SQL Injection Anymore… This is stupid, allowing javascript to exucute sql queries, client side is rife with issues. (tags: javascript security sql ibm) […]

]]> By: Giorgio http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8238 Giorgio Thu, 12 Jun 2008 22:56:23 +0000 http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8238 @<b>foo</b>: DBC-JS, as you can see by the source code, the demo and the paper, <em>allows</em> usage of prepared statement and stored procedures, but does not <em>enforce</em> it. Even the example at the end of the paper is "select * from books" entered in a browser input box. Guess what the underpaid junior developers who can "<cite>understand only a few abstractions</cite>" are going to do? @foo:
DBC-JS, as you can see by the source code, the demo and the paper, allows usage of prepared statement and stored procedures, but does not enforce it.
Even the example at the end of the paper is “select * from books” entered in a browser input box.
Guess what the underpaid junior developers who can “understand only a few abstractions” are going to do?

]]> By: klurf http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8237 klurf Thu, 12 Jun 2008 22:40:12 +0000 http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8237 Lol,its worth to read the research report http://domino.watson.ibm.com/library/cyberdig.nsf/papers/507FDDAF5626498B852572B200540AA2/$File/RC24217.pdf "The DBC-JS API requires that clients authenticate themselves to the server with a name and password when first establishing a connection to the server. These credentials are passed on each message from client to the server which authenticates the client on a per.message basis." XSS? "DBC_JS prevents SQL injection atatcks by using a prepared statement API. Since the parameter values are never parsed as SQL, injection attacks cannot occur" 2nd Level injection? Not to mention DOS Attacks Not to mention the idea in general to make business logic at client site. Example source form the PDF: if (validPassword) continueWithApplicationBusinessLogic() Lol,its worth to read the research report
http://domino.watson.ibm.com/library/cyberdig.nsf/papers/507FDDAF5626498B852572B200540AA2/$File/RC24217.pdf

"The DBC-JS API requires that clients authenticate themselves to the server with a name and password
when first establishing a connection to the server.
These credentials are passed on each message from
client to the server which authenticates the client on a per.message basis."

XSS?

"DBC_JS prevents SQL injection atatcks by
using a prepared statement API. Since the parameter values are never parsed as SQL,
injection attacks cannot occur"

2nd Level injection?
Not to mention DOS Attacks

Not to mention the idea in general to make business logic at client site.
Example source form the PDF:

if (validPassword)
continueWithApplicationBusinessLogic()

]]> By: foo http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8236 foo Thu, 12 Jun 2008 22:32:52 +0000 http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8236 Well, as far as i see, its not that bad. They use stored procedures (and you have some degree of control what procedures may be called - there's a whitelist of OK ones). So you can't inject arbitrary code. Well I dont say I would use a bank that uses this kond of technology, but for some low-security applications - for example some CMS it might be nice (i imagine that this kind of code is written fast). But I'm not a website security expert. And I'd like to see conceptual example of hack using stored procedures. Well, as far as i see, its not that bad. They use stored procedures (and you have some degree of control what procedures may be called - there’s a whitelist of OK ones). So you can’t inject arbitrary code.

Well I dont say I would use a bank that uses this kond of technology, but for some low-security applications - for example some CMS it might be nice (i imagine that this kind of code is written fast).

But I’m not a website security expert. And I’d like to see conceptual example of hack using stored procedures.

]]> By: ascii http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8234 ascii Thu, 12 Jun 2008 19:03:30 +0000 http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8234 Just. Amazing. Just. Amazing.

]]> By: remy http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8233 remy Thu, 12 Jun 2008 18:48:33 +0000 http://hackademix.net/2008/06/12/we-dont-need-sql-injection-anymore/#comment-8233 are they crazy? security and javascript access to databases? Yes, Ying and Yang :P I hope nobody new to web technologies use this crap. It's a pity that they have no real time demos :D happy hacking ;) are they crazy?

security and javascript access to databases? Yes, Ying and Yang :P

I hope nobody new to web technologies use this crap.

It’s a pity that they have no real time demos :D

happy hacking ;)

]]>