On Wed, 20 Oct 2004 14:06:05 +0800, Mike Alim <[EMAIL PROTECTED]> wrote: > Hi guys, > > anyone heard about SQL injection attacks? How does it affect a > website? and what we need to do to prevent it?
Here's a theoretical one: Let's assume you've got a query like "UPDATE foo SET bar ='%s' WHERE baz='%s' ... " SQL injection works via substituting an SQL query to a variable. Query strings that are not transformed properly prior to being executed are most vulnerable to such. If you've got a web application that would access a database (e.g. e-commerce, secure logins, data drawn from database, etc) then SQL injection may be applicable to your case. To prevent it, consider the following: 1) Proactive measures in coding. Code with security in mind. 2) Proper permissions for database users at the RDBMS level. 3) Transform query strings to proper format (e.g. sprinf(), among others). 4) Activities that require database manipulation should be done under secure HTTP. 5) Do not unnecessarily expose the database port without encryption to an insecure network. And well,... pray that you won't get cracked :D -- Paolo Alexis Falcone [EMAIL PROTECTED] -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
