[WEB SECURITY] SQL Injection through "name" field possible?

Arian J. Evans arian.evans at anachronic.com
Tue Feb 1 23:18:20 EST 2011


To be fair, at first blush the casual reader could easily confuse the
content of this thread, transposing the question of testing Name=Value
for Value=Name.

I, for one, am not the only lysdexic person on this list.

In latter years I have learned we all benefit from channeling the
patient and benevolent persona of Amit Klein, :)

---
Arian Evans
Software Security Sophistry


On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskos <tasos.laskos at gmail.com> wrote:
> Sorry man but Little Boby's name would go in the value part of the form not
> the name. ;)
>
> On 02/02/11 01:40, Matthew Zimmerman wrote:
>>>
>>> Generally, SQL injection is possible with the "value" field in a HTML
>>> form.
>>> I was just wondering if it is practically possible through the "name"
>>> field as well.
>>
>> I'm actually a little ashamed of this entire list for not mentioning
>> this already.  Has no one heard of Little Bobby Tables?
>> http://xkcd.com/327/
>>
>> Matt Zimmeran
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>




More information about the websecurity mailing list