[WEB SECURITY] question about parameterized query for XPATH mitigation

mhellman at taxandfinance.com mhellman at taxandfinance.com
Wed Aug 5 12:33:07 EDT 2009

I can't quite get my teeny brain around how parameterized queries work for
XPATH mitigation. I'm clearly missing something obvious. I am using the
example found here:


The example seems to have a few typos (why would providing malicious
password input change the username part of the expression?), but that's
not the point.
When I think about prepared statements and bind variables relative to SQL
injection, my understanding is that the prepared statement is
compiled/processed separately from the variables. The XPATH example above
doesn't seem to have the same level of separation.  The evil value seems
to be assigned to a variable and then used in the compile statement. If
the password contained something like:

" or "1"="1

wouldn't it result in a manipulated expression?  TIA,


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list