how to replace and string in a "SELECT ... IN ()"
D'Arcy J.M. Cain
darcy at druid.net
Fri Sep 26 12:38:48 EDT 2008
On Fri, 26 Sep 2008 11:00:59 -0500
"Michael Mabin" <d3vvnull at gmail.com> wrote:
> So we can drop a table in an in clause? How is this a use case. Cartoons
> are funny but actual proof that this example using an in-clause provides an
> exploit would be more helpful I think.
I'm not sure what proof you require. If you program such that users
can enter arbitrary stings into your database it is obvious that the
exploit in that cartoon can be used against you. And the point is that
it has nothing to do with IN clauses. It can be any SQL. Go read that
cartoon carefully. It says nothing about IN clauses. Consider;
"UPDATE student SET name = '%s' WHERE student_id = %s" % (name, id);
Now set name to "Robert'; DROP TABLE student;" and see what happens if
you feed that to your SQL database. Hell, just put "';" in the string
for fun.
--
D'Arcy J.M. Cain <darcy at druid.net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
More information about the Python-list
mailing list