Professional Documents
Culture Documents
SQL Injection
(Prevention Mechanism)
Adzmely Mansor
adzmely@gmail.com
understanding
pen-test existing internal application
good practice / methods sql injection
prevention in programming
Not a license to KILL !!!
Web
Server
Openly launch attack
from compromised server
comments/inline comments
admin --
select username,password where
username=admin-- and
password=pass;
comments/inline comments
or 1=1--
select username,password where
username=admin and
password= or 1=1-- ;
GET/POST methods
unescaped numerical value
single quote unescaped string
double quotes unescaped string
etc
unescaped numerical
Open Lesson 1a URL
do some test
try to detect sql injection vulnerability
try to exploit
POST Method
Open Lesson 3 URL
do some test
try to detect sql injection vulnerability
Whose Responsibility?
No SQL database, connector, or
framework can prevent SQL injection all
the time
Security is the application developers job
<?php
if (! $query) {
This is BAD
} ....
Not only does this confuse/anger the visitor, but reveals sensitive information about your
application
$id = $_GET[id];
$category = $_GET[category];
mysql_real_escape_string(%something...),
%_);
You dont need to deal with escaping data because its done by the
PDO library.
SELECT *
from News
WHERE id = ?
parameter
placeholder
simple-
query FROM table News
id
?
parameter
placeholder
simple-
query FROM table News
id
254
parameter
value
simple-
query FROM table News equality =
254
WHERE expr OR
254
SQL Injection
simple-
query FROM table News
id
254
no parameter
OR
can change the tree TRUE
http://example.org/news.php?sort=date&dir=up
<?php
$sortorder_default = status;
$direction_default = ASC;
$query = mysql_query($sql);
open lesson1.php?name=Abu
Selamat Datang Abu
lesson1.php?name=</script>alert(/XSS/);</script>