Thinking outside the box

Patron Saint of Lost Yaks
posts - 203, comments - 734, trackbacks - 4

My Links

Advertisement

News

Archives

Post Categories

SQL Injection

Every now and then I see sites where commands are concatenated and sent to database server.
The author must really trust the user inputs!

For every system built this way, you can expect at least one attack with SQL injection. In some cases you might not be aware of the attack, and sometimes you are aware.

Here is an example of a "friendly" attack, that just promotes a site and when you click the link you execute a javascript who knows do what?

In this link http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=102737
and this http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=101673

there are examples of SQL injection attacks.

As I wrote in the first topic, "What if the attack could have encrypted all columns!".
That would be easy spotted in front-end application.

But what if the attack had scrambled all date columns? How long time would it then take to discover the SQL Injection attack?

I hope this learns all newbies, noobs and beginners to NEVER EVER concatenate string to send to database.
Always use parametrized queries as a first line of defence.

 

 

Print | posted on Wednesday, May 14, 2008 11:14 AM | Filed Under [ Administration ]

Feedback

Gravatar

# re: SQL Injection

It surprises me too that SQL Injection is still so common. There's a good primer on how to proof against these things on www.microsoft.com/hellosecureworld7 which I found to be pretty straightforward - but you're right, it's always important to just exercise best practices like not concatenating strings to send to the database.
5/15/2008 2:31 AM | Nico
Gravatar

# re: SQL Injection

Ya I have seen that same very thing, it is interesting to come by. Databases are fragile and must be treated with care.
5/16/2008 12:16 AM | wordress best blogs
Gravatar

# re: SQL Injection

I'm suprised that the injection method is so common too, its strange to see old techniques still being used all the time. I see sql scripts all the time that use "GO", lol, but it still works great for its use.
1/9/2009 5:07 AM | comcast sucks
Gravatar

# re: SQL Injection

I still use GO all the time in my sql statements, its different from simply executing.
1/13/2009 8:03 PM | agrotime blog
Gravatar

# re: SQL Injection

Plus they also provide increased back support and posture help. The wide elastic waistband on these trunks is 6 inches deep and has the potential to trim your waist measurement by a massive 2 inches.
6/8/2011 10:47 AM | Supra For Sale
Comments have been closed on this topic.

Powered by:
Powered By Subtext Powered By ASP.NET