[PLUG] SQL insertion attacks
Bear Giles
bgiles at coyotesong.com
Wed Oct 30 18:18:58 UTC 2002
> On Wed, 30 Oct 2002, Paul Heinlein wrote:
>
> Are these rare, or fairly common but not publicized? I'm just wondering
> about my information stored -- I'm sure -- on Web sites I've used for
> purchases.
I'm sure that they're very common.
The way that they work is they attack web site scripts generate queries
from user data. So where you expect the query to look like
select * from table where user = 'bob';
(where you've gotten "bob" from the user form, they'll have filled out
the form with
username: "bob' and more sql here ending with 'this"
so the query you actually run is
select * from table where user = 'bob' and more sql here ending with 'this';
This is easy to fix in most cases, e.g., if you collect information on
a web page that will be echoed to a web page, replace ' with ' and
" with "... and also replace <, > and & to prevent abusive HTML.
But many sites don't bother.
Bear
More information about the PLUG
mailing list