-
-
Notifications
You must be signed in to change notification settings - Fork 844
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL LIMIT syntax is not an effective control against SQL injection #474
Comments
👍 on this one - to remove "Limit" as control for injection |
Very well said Katy! +1!
|
👍 for this being removed it's a bit misleading |
Hi guys, any news on this one? This Since a simple counterexample can be built with |
+1 |
1 similar comment
+1 |
Top 10-2017 A1-Injection says:
This statement is problematic in that if an attacker is able to insert syntax into the SQL statement then they can simply bypass the
LIMIT
clause by injecting a comment, stacking queries, etc. This is due to theLIMIT
statement occurring last in SQL syntax.While there may be cases where the attacker is limited in syntax and the
LIMIT
statement has some effect it seems rather pointless to recommend this without also recommending things that will lead to detection. This is primary screen real estate spent on a very ineffective control instead of a better control or even addressing one of the other attacks that are also listed on the page, but has no additional information:Cheers!
The text was updated successfully, but these errors were encountered: