List:General Discussion« Previous MessageNext Message »
From:Bill Dodson Date:December 13 2005 5:42pm
Subject:Re: Hijackers?
View as plain text  
Duncan Hill wrote:

>On Tuesday 13 December 2005 02:25, Peter Lauri wrote:
>  
>
>>Best group member,
>>
>>
>>
>>How can I prevent people from hijacking a query? I read this in an article
>>about a few months ago, but now I can not find that article again. This
>>question is maybe not so exact, and I do not know how risky it is to not
>>protect your system from database hijackers?
>>    
>>
>
>I believe what you're referring to are SQL Injection Attacks.
>
>Hypothetical scenario:
>
>You have a web script that runs some SELECT queries against a table.  One day, 
>a malicious user happens to be using the site when an SQL error occurs, and 
>your table/database name is displayed to them.  They change the content of a 
>search box (or any other field in the web script that gets used directly in 
>the query) to something like   1;'drop table mytable;'   .  Your script, 
>which just so happens to have drop privs, happily executes a double query - 
>the first part being what you wanted it to do, the second part being the drop 
>table.  There goes all of your data.
>
>The methods to defeat this, to the best of my knowledge, include limiting the 
>privileges of the web script user (or any user) to only do what they need to 
>do.  So if the script only needs to select data, don't give it any rights 
>other than select, and if possible, only select on the tables it needs.  The 
>other damage limitation option is to validate all of your input.  I use 
>quoting on all fields, including integers, and in some fields I also use the 
>HTML conversion functions to convert " to " etc.
>
>  
>
I found this helpful:
http://www.unixwiz.net/techtips/sql-injection.html

-- 
Bill Dodson
Parkline, Inc. http://www.parkline.com
phone: 304-586-2113 x149
fax: 304-586-3842
email: bdodson@stripped


Email Disclaimer

The information in any email is confidential and may be legally privileged. It is intended
solely for the addressee. Access to the email message by anyone else is unauthorized. If
you are not the intended recipient, any disclosure, copying, or distribution of the
message, or any action or omission taken by you in reliance on it, is prohibited and may
be unlawful. If you have received an email message in error, please notify the sender
immediately by email, facsimile or telephone and return and/or destroy the original
message.

Thank you.
Thread
Hijackers?Peter Lauri13 Dec
  • Re: Hijackers?Duncan Hill13 Dec
    • Re: Hijackers?Bill Dodson13 Dec
      • Mysqldump line endingsAdam Lipscombe13 Dec
        • Re: Mysqldump line endingsSGreen14 Dec
          • Mysqldump INSERT statements (Was Mysqldump line endings)Adam Lipscombe14 Dec
            • how to create binary logging for a databaseprathima rao14 Dec
              • RE: how to create binary logging for a databaseJimmy Guerrero14 Dec
    • Re: Hijackers?Jason Martin14 Dec