Thursday, June 23, 2005

Open Information Systems Security Group - SQL Injection

Open Information Systems Security Group - SQL Injection: "SQL Injection"

This article shed insight on the art of sql injection in data base driven applications. It follows structured approach and after going through it a reader will have a better understanding of sql injections.
This document discuss in detail common as well as some advance SQL Injection techniques as it applies to Microsoft Internet Information Server / Active Server Pages / Microsoft SQL Server. It discusses the various ways in which SQL can be injected & how one can protect him against the SQL injections. This document also contains brief description of the terms used in the context of databases & web Application.

What is SQL Injection?
It's a technique where an attacker creates or alters existing SQL commands (by using some special symbol) to gain access to unintended data or even the ability to execute system level commands in the server. SQL injections are the result of Poor Input Validation and can be blocked by proper input validation.
Application that do not correctly validate and/or sanitize the user input, can potentially be exploited in several ways:
· Changing SQL values
· Concatenating SQL Values
· Adding Function calls & stored Procedures to a statement
· Typecast and concatenate retrieved data
· Adding system functions & procedure to find out critical information about the server
Post a Comment