April 2004 - Posts

Friday, April 30, 2004 5:47 PM

double qoute against sql injection?

the answer is NO.
i had this question on one of my last security talks. A guy told me that he replace every qoute with a double qoute and he is save. I didnt find the answere at this time.

unkown developer - i must say to you - you are wrong- you are UNSAVE

today in a meeting with Michael Willers and Tobias Ulm talking about the security trainings we deliver next month, michael showed us the follwing code

select * from blabla where id=12323 ;shutdown

I didnt ever know that sql server have a tsql shutdown command. Now i know it and i know also there is no qoute inside.
But the most important lession i learned again is: you never know, what you dont know!
You also never know that a application is save, you only know the opposite. Every application is unsave. Feel bad? i do!
UPDATE the best way ist to use paramterized stored procedures. I say this, because its also possible to use stored procedures without parameters collection
Posted by preishuber | 10 comment(s)
Monday, April 26, 2004 12:33 PM

German Developer Security Training

we offer in germany on 11 locations a one day training "how to develop secure applications".
Tobias Ulm and Hannes Preishuber (its me) are the experts trainer.
language is german.

the best thing is the price- only 39,- Euro + tax

DVD, lunch, soft drinks and printed slides are included
you also have the chance to win a free teched amsterdam ticket

register online

• 3.5. Hamburg • 4.5. Hannover • 5.5. Leipzig • 6.5. Dresden • 7.5. Berlin • 10.5. Burghausen • 11.5. Baden-Baden • 12.5. Frankfurt/M. • 13.5. Köln • 14.5. Koblenz • 17.5. Berlin und München • 18.5. Hamburg und Burghausen • 19.5. Hannover • 24.5. Köln • 25.5. Koblenz • 26.5. Frankfurt • 27.5. Baden-Baden • 28.5. München • 1.6. Leipzig • 2.6. Dresden
Posted by preishuber | with no comments
More Posts