Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
39Activity
0 of .
Results for:
No results containing your search query
P. 1
SQL Injection

SQL Injection

Ratings:

3.0

(1)
|Views: 4,552|Likes:
Published by Manish

More info:

Published by: Manish on Apr 05, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

12/13/2012

pdf

text

original

 
SQL Injection
Introduction
The World Wide Web has experienced remarkable growth in recent years. Businesses,individuals, and governments have found that web applications can offer effective,efficient and reliable solutions to the challenges of communicating and conductingcommerce in the Twenty-first century. However, the security of Web applications has become increasingly important in the last decade. With more and more Web-basedapplications deal with sensitive financial and medical data, it is crucial to protect theseapplications from hacker attacks. A security assessment by the Application DefenseCenter, which included more than 250 Web applications from e-commerce, online banking, enterprise collaboration, and supply chain management sites, concluded that atleast 92% of Web applications are vulnerable to some form of attack.Much vulnerability in web applications is caused by permitting unchecked input to takecontrol of the application, which an attacker will turn to unexpected purposes. SQLInjection is the most common type of technique used. Beside SQL Injection the other type of attacks are:
Shell injection.
Scripting language injection.
File inclusion.
XML injection.
SQL Injection
XPath injection.
LDAP injection.
SMTP injection.
What is SQL Injection?
1
 
SQL Injection
SQL Injection is a technique to hack the database. It is a type of security exploit in whichthe attacker adds the SQL code to a Web form input box to gain access to resources or make changes to data.
What are SQL Injection attacks?
An SQL injection attack is an type of attack where a user of your form enters a piece of SQL code into it, and wraps it in special characters in such a way that the data entereddoesn't get used for the purpose you had intended, instead it gets used to corrupt or destroy your database.When attacker enters the data into the form, that data is directly used to build a dynamicSQL query to retrieve the data from database. Such malicious code injection is called asan SQL Injection attack.There are two form of SQL Injection attacks :1.Form Injection.2.URL Injection.
What’s vulnerable?
A web application is vulnerable to SQL injection for only one reason – end user stringinput is not properly validated and is passed to a dynamic SQL statement. The stringinput is usually passed directly to the SQL statement. However, the user input may bestored in the database and later passed to a dynamic SQL statement. Because of thestateless nature of many web applications, it is common to write data to the database between web pages. This indirect type of attack is much more complex and requires in-depth knowledge of the application.
What’s not vulnerable?
SQL Statements using bind variables are generally immune to SQL Injection attacks asthe Oracle database will use the value of the bind variable exclusively and not interpret2
 
SQL Injection
the contents of the variable in
 
any way. PL/SQL and JDBC allow for bind variables. Bindvariables should be extensively used for both security and performance reasons.
[
Stephen Kost, "An Introduction to SQL Injection Attacks for Oracle Developers"]3

Activity (39)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
localveri liked this
Muhammad Jawwad liked this
Suresh Madhan liked this
Robin Pabbi liked this
ReaderTim5 liked this
paragpatel1887 liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->