[WEB SECURITY] question about parameterized query for XPATH mitigation

mhellman at taxandfinance.com mhellman at taxandfinance.com
Wed Aug 5 12:33:07 EDT 2009


I can't quite get my teeny brain around how parameterized queries work for
XPATH mitigation. I'm clearly missing something obvious. I am using the
example found here:

http://capec.mitre.org/data/definitions/83.html

The example seems to have a few typos (why would providing malicious
password input change the username part of the expression?), but that's
not the point.
When I think about prepared statements and bind variables relative to SQL
injection, my understanding is that the prepared statement is
compiled/processed separately from the variables. The XPATH example above
doesn't seem to have the same level of separation.  The evil value seems
to be assigned to a variable and then used in the compile statement. If
the password contained something like:

" or "1"="1

wouldn't it result in a manipulated expression?  TIA,

Matt


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list