Create database triggers with sql-injection without stacked queries

views:

answers:

+1 Q:

Create database triggers with sql-injection without stacked queries

Currently im working on a research paper about sql-injection with RFID tags and Im curious if it is possible to create a database trigger with an sql injections if stacked queries are disabled. If stacked queries are enabled, of course it is easy (assuming you know the table layout), but what if they're disabled for security reasons.

edit: Nobody can say anything useful about this?

edit2 Since my question seems to be unclear, once again: The question is if it is possible to create a trigger, given that there is an SQL injection. Database does not matter, choose one that fits the needs.

What database are looking for? In PostgreSQL every trigger calls a stored procedure. Inside a stored procedure, you can execute dynamic queries if you want. If you don't do anything against SQL injection, not using quote_ident() and/or quote_literal(), your procedure is vulnerable to SQL injection. That's your own choice.

Userinput can never be trusted, so why the worry about RFID input? It's input, therefore it can't be trusted.

Frank Heikens 2010-04-04 10:44:11

I thing you misunderstand my question. The question is if it is possible to _create_ a trigger, _given_ that there is an SQL injection.

Henri 2010-04-04 21:14:29

ansaurus

tags:

views:

answers:

Create database triggers with sql-injection without stacked queries

related questions