3 comments

[ 0.24 ms ] story [ 14.5 ms ] thread
"About a year ago I had to implement a system where the table name could be configured for an application. Why would you want to do that? Lots of reasons really, like if you have a table generator via a web interface."

This is the reason you don't use a web-interface to do this. Allowing admin-level traffic to enter through the same channels as user traffic is generally a bad idea.

It's a major hole to an important layer in your defenses. Opening it up and you ask for trouble... even if you establish permissions, those can be bypassed with escalation exploits.

I am still amazed by the use of SQL language. Why use a text based language, instead of some kind of db API/ABI? You simply can't inject an API with only a parameter.
The author demonstrates an SQL "injection" via "malicious" django-admin.py input. Is it really SQL injection if the user has access to your site's admin script?

Some input really is trusted.