Basically SQL injection attacks are based on exploiting poor SQL
generation to run things to really don't want to happen on a web


Suppose you have a web application that accepts input from an HTML form
and stores in the variable "searchword", then in your code you naively
use string manipulation to create an SQL statement to run:  e.g. 


String sql = "select values from searchtable where searchterms like \'%"
+ searchword + "/'";


Then you use JDBC to run that statement and return the list of values to
the web page in some way.


If there is no checking of the value that is passed in, a hacker could
set the searchword parameter to:


"bogussearch%';drop table searchtable;'"


And completely ruin your day, because when you run the SQL statement in
your code, you get:


select values from searchtable where searchterms like
'%bogussearch%';drop table searchtable;''


So, it will return the search results as expected (keeping your app from
crashing on that transaction, then drop the searchtable, causing you a
great deal of trouble.


The exact syntax of the attack varies from running undesired SQL
statements to running arbitrary commands on the target machine.


Different DBMS system have different vulnerabilities related to SQL
injection, but none are completely safe.


To prevent them, you must always range check any values that are coming
from user input for size and content (e.g. no special characters).


Please note that you cannot do that with javascript (or any other
browser scripting language), because a hacker will simply bypass that
and directly feed a HTTP GET or POST directly to the server.  - the
validation has to be in server side code.


A (better) explanation can be found at:





Sent: Wednesday, February 11, 2009 8:29 AM
Subject: [jug-discussion] another suggestion 


I'm sorry I had to leave last night.  Rene, that was very interesting.
You did a good job and I'm glad I went.  Gosh I have a lot to learn! 

Anyway,  I've been hearing things about this sql injection threat and
that the Mars Rover actually had that issue.   

Could anyone explain what it is and how to prevent it? 

Liz, Data Base Administrator,
Methods Engineering

This email (and all attachments) is for the sole use of the intended
recipient(s) and may contain privileged and/or proprietary information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply e-mail and destroy all copies of the original message.

The information transmitted is intended only for the person or entity to 
which it is addressed and may contain confidential and/or privileged 
material.  Any review, retransmission, dissemination or other use of, or 
taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited.   If you 
received this message in error, please contact the sender and delete 
the material from any computer. 

Reply via email to