Home

Archive for the ‘web application protection’ Category

SQL Injection

Thursday, January 3rd, 2008

I found this excellent piece of art that made me smile…

In case you were wondering what SQL Injection means, it is a trick to inject SQL command as an input possibly via web pages.

As seen above, the kid’s name is Robert’);DROP Table STUDENTS;–

Now, if you run a login form that has a user name and a password, usually the sql query behind this login form looks like that:

SELECT * FROM STUDENTS WHERE NAME=’$name’ AND PASSWORD=’$password’

Now, if someone is trying to perform an SQL Injection attack, take Robert’s name and put it as $name, and the SQL query will look like that:

SELECT * FROM STUDENTS WHERE NAME=’Robert’);DROP Table STUDENTS;–‘ AND PASSWORD=’$password’

It is quite easy to protect your system from SQL Injection on the coding phase but usually web programmers tend to do a bad job regarding security.

I’ll write some more about this issue soon…


DiggRedditSlashdotTwitThisSphinnStumbleUpondel.icio.usFacebookGoogleTechnoratiE-mail this story to a friend!

Tags: ,
Posted in fun, security, web application protection, web development | 2 Comments »