Duncan Hill wrote:
>On Tuesday 13 December 2005 02:25, Peter Lauri wrote:
>>Best group member,
>>How can I prevent people from hijacking a query? I read this in an article
>>about a few months ago, but now I can not find that article again. This
>>question is maybe not so exact, and I do not know how risky it is to not
>>protect your system from database hijackers?
>I believe what you're referring to are SQL Injection Attacks.
>You have a web script that runs some SELECT queries against a table. One day,
>a malicious user happens to be using the site when an SQL error occurs, and
>your table/database name is displayed to them. They change the content of a
>search box (or any other field in the web script that gets used directly in
>the query) to something like 1;'drop table mytable;' . Your script,
>which just so happens to have drop privs, happily executes a double query -
>the first part being what you wanted it to do, the second part being the drop
>table. There goes all of your data.
>The methods to defeat this, to the best of my knowledge, include limiting the
>privileges of the web script user (or any user) to only do what they need to
>do. So if the script only needs to select data, don't give it any rights
>other than select, and if possible, only select on the tables it needs. The
>other damage limitation option is to validate all of your input. I use
>quoting on all fields, including integers, and in some fields I also use the
>HTML conversion functions to convert " to " etc.
I found this helpful:
Parkline, Inc. http://www.parkline.com
phone: 304-586-2113 x149
The information in any email is confidential and may be legally privileged. It is intended
solely for the addressee. Access to the email message by anyone else is unauthorized. If
you are not the intended recipient, any disclosure, copying, or distribution of the
message, or any action or omission taken by you in reliance on it, is prohibited and may
be unlawful. If you have received an email message in error, please notify the sender
immediately by email, facsimile or telephone and return and/or destroy the original