[WEB SECURITY] SQL Injection through "name" field possible?

Tasos Laskos tasos.laskos at gmail.com
Tue Feb 1 00:24:29 EST 2011


On 01/02/11 05:24, Tasos Laskos wrote:
> Hi,
>
> On 01/02/11 05:03, Nilesh Bhosale wrote:
>> Hi,
>>
>> Generally, SQL injection is possible with the "value" field in a HTML 
>> form.
>> I was just wondering if it is practically possible through the "name"
>> field as well.
>>
> Sure it is.
>> Also, for XML or SOAP requests is it possible using "element name" or
>> "attribute name" as opposed to "character data of an element" or
>> "attribute value" which is generally seen.
>>
> Could be...for the same reason as the one you mention bellow but it'd 
> find it a more unlikely scenario.
> When you read from XML you usually tend to look for what you want 
> specifically.
>> I think SQL injection can happen using the field name, typically if some
>> lazy developers are using the column name in the SQL DB as a "name" in
>> the form and just blindly using the form-field "name" in his SQL INSERT
>> (or so) queries.
>>
> Yep, for that reason exactly.
>> Would like to see your comments on this.
>>
> My comment is that I'm really embarrassed that this hadn't occurred to 
> me before you mentioned it.
>> Thanks,
>> Nilesh
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org 
>>
>>
>





More information about the websecurity mailing list