LessThanDot Site Logo

LessThanDot

A decade of helpful technical content

Less Than Dot is a community of passionate IT professionals and enthusiasts dedicated to sharing technical knowledge, experience, and assistance. Inside you will find reference materials, interesting technical discussions, and expert tips and commentary.

Browsing "sql injection"

Please don’t use blacklists, use parameterized queries or stored procs instead

Every now and then you will hear how some site will use a blacklist to ‘protect’ themselves against sql injection. Using a blacklist is very foolish because you can’t ever think of all the different ways that the bad guys will try to bypass your little…

Read More...

SQL Injection Pocket Reference for MySQL, SQL Server and Oracle

There is a nice SQL Injection Pocket Reference up on Google Docs

Here is what is covered

MySQL
Default Databases
Comment Out Query
Testing Injection
Strings
Numeric
In a login
Testing Version
MySQL-specific code
Database Credentials
Data…

Read More...

Kaspersky Web Site Hacked With SQL Injection, How Embarrassing Is This?

We all know that Kaspersky is a security firm and they make a very nice product, you can see a list of their products here: http://www.kaspersky.com/ What I found out today on twitter is that their site got hacked by a SQL Injection attack. The tool that was used was the Acunetix Web Security Scanner. […]

Read More...

sp_replwritetovarbin Heap Overflow Code Exploit Code In The Wild, Works By Using Our Good Friend SQL Injection

There is code available to take advantage of the sp_replwritetovarbin heap overflow bug In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. To disable this proc you can run this as an admin on the box Before disabling this pro read BradC’s comment so that you do not break replication T-SQL1 execute […]

Read More...