Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Fedora rejects SQLninja
Posted Nov 11, 2010 7:40 UTC (Thu) by codefisher (guest, #64993)
Posted Nov 11, 2010 9:15 UTC (Thu) by dlang (✭ supporter ✭, #313)
once the tool no longer works, you may or may not have actually fixed the real problem, all that you know is that this particular tool no longer works.
if you have a problem with SQL injection, you don't need a 'takeover' tool to show you that, you just need a fuzzing tool and watch your database logs for strange errors.
if you do have a SQL injection vunerability, what you nee dto do is go back and look at your application design and howyou are doing input validation and how you are interacting with the database (sanitization of database query parameters, switching to prepared statements, etc) and fix the problem at a conceptual level, that way you not only defend against this particular tool, you also defend against the entire class of tools that send you bogus input in the hope that it breaks you.
If you have this in place and a fuzzing tool still shows problems, then you have a bug in your input validation code, which means it's time to go back and really review the code, not just twist knobs until you don't see the breakage anymore.
Posted Nov 11, 2010 16:21 UTC (Thu) by gidoca (subscriber, #62438)
Posted Nov 11, 2010 16:23 UTC (Thu) by gidoca (subscriber, #62438)
Posted Nov 12, 2010 19:22 UTC (Fri) by till (subscriber, #50712)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds