Re: about SQL injection
From: Kevin Carlson (kevin_at_kcarlson.net)
Date: 04/05/05
- Previous message: Rob Creely: "Re: Microsoft Software Auditing ?"
- In reply to: Seung Hyun Cho: "about SQL injection"
- Next in thread: David MacDonald: "Re: about SQL injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 04 Apr 2005 19:00:48 -0700 To: Seung Hyun Cho <s970501@gmail.com>
This is unfortunately one of the most common site vulnerabilities. The
answer is to trust NOTHING from user input, including URL variables,
form data, etc. You need to test the input and accept only number data
in this case. Use an account with only "SELECT" permissions whenever
possible. This will help prevent hackers from executing multiple
queries at the same time, such as "delete from table where 1=1".
There are useful books you might want to read, such as "Innocent Code"
and "Web Applications Hacking Exposed".
Good luck,
Kevin
Seung Hyun Cho wrote:
>Hi,
>
>I am running my site on IIS & MS-SQL.
>
>I've found vulnerabilities in some pages.
>exploited query is working like...
>"select * from xxx where id=3"
>when I put something like '2 or 1=1', it shows every data in xxx.
>
>But... is it kind of big vulnerability?
>What hacker can do to my site in this situation?
>
>Thanks,
>
>---------------------------------------------------------------------------
>Earn your MS in Information Security ONLINE
>Organizations worldwide are in need of highly qualified information security
>professionals. Norwich University is fulfilling this demand with its MS in
>Information Security offered online. Recognized by the NSA as an
>academically excellent program, NU offers you the opportunity to earn your
>degree without disrupting your home or work life.
>
>http://www.msia.norwich.edu/secfocus_en
>----------------------------------------------------------------------------
>
>
>
>
---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals. Norwich University is fulfilling this demand with its MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------
- Previous message: Rob Creely: "Re: Microsoft Software Auditing ?"
- In reply to: Seung Hyun Cho: "about SQL injection"
- Next in thread: David MacDonald: "Re: about SQL injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
