[Noisebridge-discuss] Any chance in hell this might work?
Rachel McConnell
rachel at xtreme.com
Mon Mar 22 06:08:27 UTC 2010
SQL injection is really really easy to defend against, and this is
generally done at the db abstraction layer. So it doesn't matter where
the attack string comes from (from within the system; if you get access
to the db directly all bets are off, but then you don't need to 'inject'
SQL!). SQL injection attacks are likely to be successful only for small
sites written by individuals who learned PHP last week from a web
tutorial, and have used easily guessable table names (or are attacked by
someone with knowledge of their schema).
Even if the text recognition succeeds, the string is not going to be
sent directly to the db but to some backend system that does processing
on it first. That string, for example, is not a complete SQL statement
and needs to be wrapped in something like, "SELECT * FROM tablename
WHERE licence_plate = [value]". In any sensible system, [value] is not
dropped directly into the SQL string but is sent separately, indicating
that the entire [value] is a value, and should not be interpreted as SQL
commands. This is standard SQL methodology.
In a word, no, it's not going to work. Unless the programmers, testers,
buyers, and managers of the traffic camera system are *all* absolute,
complete, utter idiots who don't keep up with news in their field --
which is theoretically possible.
Rachel
Ian Atha wrote:
> Doubtful the license plate camera could even recognize this font.
> These things are extremely specialized and finicky. See
> http://en.wikipedia.org/wiki/Automatic_number_plate_recognition .
>
> On Sun, Mar 21, 2010 at 22:36, Ozzy Satori <ozzymandi at gmail.com> wrote:
>> http://i.imgur.com/RQcCi.jpg
>> I know it's a long-shot, but I'm seeing the most epic civil-disobedience
>> campaign in history.
>> I'm a mobile client guy whose always depended on Database Programmers for my
>> SQL stuff, but I'd love some tech feasibility opinions from people who know
>> more than me.
>> Is this an injection vector that the vendors would have likely considered?
>> -Ozzy.
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>>
>>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
More information about the Noisebridge-discuss
mailing list