| |||||||||||
| |||||||||||
What is an SQL injection attack?
An SQL injection attack is where a user of your form enters a piece of SQL code into it, and wraps it in special characters in such a way that the data entered doesn't get used for the purpose you had intended - it gets used to corrupt or destroy your database.
For example, if your form returns to $_REQUEST[message] and you write INSERT into msgtab (message) values ("$_REQUEST[message]") in your code, then without the appropriate precautions I could enter Got you"); delete his database; or words to that effect ... and that would be a nasty injection attack. Note that most copies of PHP are configured with magic quotes on to insure against this kind of hole being left by newcomers to coding, and that my example - quite intentionally - doesn't exactly attack; rather, it shows the principle As well as SQL injection attacks, Javascript can be injected too ... and even tags like <h1> can sometimes be injected to make the whole of the rest of a response page be shouted back at subsequent visitors to (say) a poorly written forum or chatroom. (written 2006-11-27 06:01:24) Associated topics are indexed under S161 - Data Access and Security in MySQLH113 - Using MySQL Databases in PHP Pages H117 - Security in PHP
Some other Articles
What happened at GeekmasPython and the Magic Roundabout Sludge off the mountain, and Python and PHP Running an on line campaign What is an SQL injection attack? Look around this mouth. Code quality counts Just ******* Google it Matching within multiline strings, and ignoring case in regular expressions Index of Pictures 1637 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33 at 50 posts per pageThis is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price. Link to Ezine home page (for reading). Link to Blogging home page (to add comments). |
| ||||||||||
PH: 01144 1225 708225 • FAX: 01144 1225 707126 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho | |||||||||||