More From This User
Related Docuements
Sql Injection
SQL Injection: Security threats to Web application and counter measures 1 S...
From monishsingh
SQL Injection
Introduction
The World Wide Web has experienced remarkable growth in recent years. Businesses,individuals, and governments have found that web applications can offer effective,efficient and reliable solutions to the challenges of communicating and conductingcommerce in the Twenty-first century. However, the security of Web applications has become increasingly important in the last decade. With more and more Web-basedapplications deal with sensitive financial and medical data, it is crucial to protect theseapplications from hacker attacks. A security assessment by the Application DefenseCenter, which included more than 250 Web applications from e-commerce, online banking, enterprise collaboration, and supply chain management sites, concluded that atleast 92% of Web applications are vulnerable to some form of attack.Much vulnerability in web applications is caused by permitting unchecked input to takecontrol of the application, which an attacker will turn to unexpected purposes. SQLInjection is the most common type of technique used. Beside SQL Injection the other type of attacks are:
•
Shell injection.
•
Scripting language injection.
•
File inclusion.
•
XML injection.
•
SQL Injection
•
XPath injection.
•
LDAP injection.
•
SMTP injection.
What is SQL Injection?
1
SQL Injection
SQL Injection is a technique to hack the database. It is a type of security exploit in whichthe attacker adds the SQL code to a Web form input box to gain access to resources or make changes to data.
What are SQL Injection attacks?
An SQL injection attack is an type of attack where a user of your form enters a piece of SQL code into it, and wraps it in special characters in such a way that the data entereddoesn't get used for the purpose you had intended, instead it gets used to corrupt or destroy your database.When attacker enters the data into the form, that data is directly used to build a dynamicSQL query to retrieve the data from database. Such malicious code injection is called asan SQL Injection attack.There are two form of SQL Injection attacks :1.Form Injection.2.URL Injection.
What’s vulnerable?
A web application is vulnerable to SQL injection for only one reason – end user stringinput is not properly validated and is passed to a dynamic SQL statement. The stringinput is usually passed directly to the SQL statement. However, the user input may bestored in the database and later passed to a dynamic SQL statement. Because of thestateless nature of many web applications, it is common to write data to the database between web pages. This indirect type of attack is much more complex and requires in-depth knowledge of the application.
What’s not vulnerable?
SQL Statements using bind variables are generally immune to SQL Injection attacks asthe Oracle database will use the value of the bind variable exclusively and not interpret2
SQL Injection
the contents of the variable in
any way. PL/SQL and JDBC allow for bind variables. Bindvariables should be extensively used for both security and performance reasons.
[
Stephen Kost, "An Introduction to SQL Injection Attacks for Oracle Developers"]3
of 00
SQL Injection
3,458 Reads
Info and Rating
| Category: | |
| Rating: | (1 Rating) |
| Upload Date: | 04/05/2009 |
| Copyright: | Attribution Non-commercial |
| Tags: |
Leave a Comment