SQL injection attacks

Thursday 6 January 2005

Steve Friedl has written a detailed and comprehensive guide to how to crack into relational-based systems: SQL Injection Attacks by Example. Also included (for those of us on the hook for building these systems) are tips for how to prevent injection attacks.

Comments

Damian Cugley 6:47 AM on 8 Jan 2005

Also has to be said that if you must generate programming-language statements on the fly, then you need to convert strings in to string literals anyway. For SQL this means doubling up all the apostrophes (in case someone's log-in name is o'reilly), and then SQL injection should not be possible...

My preference has always been for the application to do all its work via stored procedures; you can then give the database user the applciation connects as no INSERT or UPDATE privileges at all.

Add a comment:

name
email	Ignore this: not displayed and no spam. Leave this empty:
www	not searched.
	Name and either email or www are required.
Don't put anything here: Leave this empty:
URLs auto-link and some tags are allowed: <a><b><i><p><br><pre>.
Email me future comments