SQL Injection question

  • I've read plenty of articles regarding SQL injection with web browsers to understand the dangers & strategies for preventing them, but would like a simple answer to another type of injection. Is it possible for SQL injection to happen with fat client applications? I think the answer is yes, but since I'm not a developer, I'm not certain & would like know. If I'm correct then I need to lean on our developers or help find new tools to automate the testing.

    Thanks

    🙂

  • Yes, absolutely. and with 3-tier and n-tier apps also.

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

  • Any application that allows the user to type in data is vulnerable. Only if the application allowed users to click buttons or make pre-set selections would this not be a problem.

    Even entering a name in a field, I could enter Jones';shutdown and stop the server if you were vulnerable to Injection.

  • Steve Jones - Editor (3/22/2008)


    Any application that allows the user to type in data is vulnerable. Only if the application allowed users to click buttons or make pre-set selections would this not be a problem.

    I would not go quite this far, Steve. Rather I would say that any application that allows users to type in text that is eventually used in the construction of strings that are executed as SQL is vulnerable.

    The difference being that applications that do allow users to enter data, but only use that data as parameters (via ADO.net parameter objects) to stored procedures that only use them as variables to SQL statements (i.e., never dynamic SQL) should not be vulnerable to SQL injection attacks. Of course not many development environments are that disciplined.

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply