SQL injection attacks

Thursday 6 January 2005

Steve Friedl has written a detailed and comprehensive guide to how to crack into relational-based systems: SQL Injection Attacks by Example. Also included (for those of us on the hook for building these systems) are tips for how to prevent injection attacks.

tagged: databases, security» 1 reaction

Comments

[gravatar]
Damian Cugley 6:47 AM on 8 Jan 2005

Also has to be said that if you must generate programming-language statements on the fly, then you need to convert strings in to string literals anyway. For SQL this means doubling up all the apostrophes (in case someone's log-in name is o'reilly), and then SQL injection should not be possible...

My preference has always been for the application to do all its work via stored procedures; you can then give the database user the applciation connects as no INSERT or UPDATE privileges at all.

Add a comment:

name
email
Ignore this:
not displayed and no spam.
Leave this empty:
www
 not searched.
 
Name and either email or www are required.
Don't put anything here:
Leave this empty:
URLs auto-link and some tags are allowed: <a><b><i><p><br><pre>.