

SQL Injection via table names and field names. Case study. - illumen
http://renesd.blogspot.com/2012/06/sql-injection-via-field-names-and-table.html

======
r00fus
"About a year ago I had to implement a system where the table name could be
configured for an application. Why would you want to do that? Lots of reasons
really, like if you have a table generator via a web interface."

This is the reason you don't use a web-interface to do this. Allowing admin-
level traffic to enter through the same channels as user traffic is generally
a bad idea.

It's a major hole to an important layer in your defenses. Opening it up and
you ask for trouble... even if you establish permissions, those can be
bypassed with escalation exploits.

------
samps
The author demonstrates an SQL "injection" via "malicious" django-admin.py
input. Is it really SQL injection if the user has access to your site's admin
script?

Some input really is trusted.

------
est
I am still amazed by the use of SQL language. Why use a text based language,
instead of some kind of db API/ABI? You simply can't inject an API with only a
parameter.

