[WEB SECURITY] SQL Injection through "name" field possible?

Nilesh Bhosale nilesh at gslab.com
Tue Feb 1 00:03:08 EST 2011


Hi,

Generally, SQL injection is possible with the "value" field in a HTML form.
I was just wondering if it is practically possible through the "name"
field as well.

Also, for XML or SOAP requests is it possible using "element name" or
"attribute name" as opposed to "character data of an element" or
"attribute value" which is generally seen.

I think SQL injection can happen using the field name, typically if some
lazy developers are using the column name in the SQL DB as a "name" in
the form and just blindly using the form-field "name" in his SQL INSERT
(or so) queries.

Would like to see your comments on this.

Thanks,
Nilesh





More information about the websecurity mailing list