SQL injection attacks

Thursday 6 January 2005

Steve Friedl has written a detailed and comprehensive guide to how to crack into relational-based systems: SQL Injection Attacks by Example. Also included (for those of us on the hook for building these systems) are tips for how to prevent injection attacks.

Comments

[gravatar]
Damian Cugley 6:47 AM on 8 Jan 2005

Also has to be said that if you must generate programming-language statements on the fly, then you need to convert strings in to string literals anyway. For SQL this means doubling up all the apostrophes (in case someone's log-in name is o'reilly), and then SQL injection should not be possible...

My preference has always been for the application to do all its work via stored procedures; you can then give the database user the applciation connects as no INSERT or UPDATE privileges at all.

Add a comment:

Ignore this:
Leave this empty:
Name is required. Either email or web are required. Email won't be displayed and I won't spam you. Your web site won't be indexed by search engines.
Don't put anything here:
Leave this empty:
URLs auto-link and some tags are allowed: <a><b><i><p><br><pre>.