|
Training, Open Source Computer Languages |
| Home | Accessibility | Courses | Diary | The Mouth | Forum | Resources | Site Map | About Us | Contact |
|
What is an SQL injection attack?
An SQL injection attack is where a user of your form enters a piece of SQL code into it, and wraps it in special characters in such a way that the data entered doesn't get used for the purpose you had intended - it gets used to corrupt or destroy your database. For example, if your form returns to $_REQUEST[message] and you write INSERT into msgtab (message) values ("$_REQUEST[message]") in your code, then without the appropriate precautions I could enter Got you"); delete his database; or words to that effect ... and that would be a nasty injection attack. Note that most copies of PHP are configured with magic quotes on to insure against this kind of hole being left by newcomers to coding, and that my example - quite intentionally - doesn't exactly attack; rather, it shows the principle As well as SQL injection attacks, Javascript can be injected too ... and even tags like <h1> can sometimes be injected to make the whole of the rest of a response page be shouted back at subsequent visitors to (say) a poorly written forum or chatroom. (written 2006-11-27) Associated topics are indexed under H113 - Using MySQL Databases in PHP Pages[3455] MySQL, MySQLi, PDO or something else - how best to talk to databases from PHP - (2011-09-24) [3035] How to display information from a database within a web page - (2010-11-07) [2628] An example of an injection attack using Javascript - (2010-02-08) [2561] The future of MySQL - (2010-01-03) [2447] MySQL stored procedures / their use on the web from PHP - (2009-10-10) [2432] Using print_r in PHP to explore mysql database requests - (2009-10-01) [2320] Helping new arrivals find out about source code examples - (2009-08-03) [2259] Grouping rows for a summary report - MySQL and PHP - (2009-06-27) [2071] Setting up a MySQL database from PHP - (2009-03-08) [1983] Keeping PHP code in database and running it - (2009-01-09) [1561] Uploading to a MySQL database through PHP - examples and common questions - (2008-03-02) [1010] Dates, times, clickable diarys in PHP - (2006-12-28) [937] Display an image from a MySQL database in a web page via PHP - (2006-11-22) [915] Paging through hundreds of entries - (2006-11-05) [723] Viewing images held in a MySQL database via PHP - (2006-05-17) [666] Database design - get it right from first principles - (2006-04-02) [647] Checking for MySQL errors - (2006-03-15) [581] Saving a MySQL query results to your local disc for Excel - (2006-01-29) [572] Giving the researcher power over database analysis - (2006-01-22) [515] MySQL - an FAQ - (2005-12-03) [104] mysql_connect or mysql_pconnect in PHP? - (2004-10-30) H117 - Security in PHP [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22) [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02) [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15) [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22) [2939] Protecting your images from use out of context - (2010-08-29) [2688] Security considerations in programming - what do we teach? - (2010-03-22) [2025] Injection Attack if register_globals in on - PHP - (2009-02-04) [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31) [1747] Who is watching you? - (2008-08-10) [1694] Defensive coding techniques in PHP? - (2008-07-02) [1679] PHP - Sanitised application principles for security and useability - (2008-06-16) [1542] Are nasty programs looking for security holes on your server? - (2008-02-17) [1482] A story about benchmarking PHP - (2007-12-23) [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19) [1387] Error logging to file not browser in PHP - (2007-10-11) [1323] Easy handling of errors in PHP - (2007-08-27) [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20) [1052] Learning to write secure, maintainable PHP - (2007-01-25) [920] A lion in a cage - PHP - (2006-11-10) [426] Robust checking of data entered by users - (2005-08-27) [345] Spotting a denial of service attack - (2005-06-12) S161 - Data Access and Security in MySQL [3270] SQL - Data v Metadata, and the various stages of data selection - (2011-04-29) [2647] Removing duplicates from a MySQL table - (2010-02-22) [2263] Mysqldump fails as a cron job - a work around - (2009-06-30) [2204] Images in a database? How big is a database? (MySQL) - (2009-05-28) [1131] MySQL - Password security (authentication protocol) - (2007-04-02) [535] MySQL permissions and privileges - (2005-12-20) [401] What is an SQL injection attack? - (2005-08-02) [193] The wrong MySQL - (2005-01-29) [192] Current MySQL and PHP paths and upgrades - (2005-01-28) 54d1
Some other Articles
What happened at GeekmasPython and the Magic Roundabout Sludge off the mountain, and Python and PHP Running an on line campaign What is an SQL injection attack? Look around this mouth. Code quality counts Just ******* Google it Matching within multiline strings, and ignoring case in regular expressions Index of Pictures |
4086 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82 at 50 posts per pageThis is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.
Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho
PAGE: http://www.wellho.net/mouth/947_What ... tack-.html • PAGE BUILT: Sat Feb 23 12:39:13 2013 • BUILD SYSTEM: wizard