Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anatomy of a SQL Injection Attack

Posted by timothy on from the the-alarm-you-trip-could-be-your-own dept.

Trailrunner7 writes "SQL injection has become perhaps the most widely used technique for compromising Web applications, thanks to both its relative simplicity and high success rate. It's not often that outsiders get a look at the way these attacks work, but a well-known researcher is providing just that. Rafal Los showed a skeptical group of executives just how quickly he could compromise one of their sites using SQL injection, and in the process found that the site had already been hacked and was serving the Zeus Trojan to visitors." Los's original blog post has more and better illustrations, too.

8 of 267 comments (clear)

  1. A cautionary tale' OR 1=1 by kyz · · Score: 4, Funny

    ...for these modern times.

    --
    Does my bum look big in this?
  2. Obligatory xkcd by tangent3 · · Score: 4, Funny

    http://xkcd.com/327/

    1. Re:Obligatory xkcd by Inda · · Score: 4, Funny

      Oh, oh, oh, please let it be Bobby DropTables, please, please.

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    2. Re:Obligatory xkcd by Anonymous Coward · · Score: 1, Funny

      Select TOP 1 as bestever from t_XKCD where id = thisone

    3. Re:Obligatory xkcd by Anonymous Coward · · Score: 1, Funny

      You win.

  3. Slash Dot Virus Sequel Injected in You by h00manist · · Score: 4, Funny

    You can't stop reading slashdot. Full of nonsensensical arguments, but you read on, your brain oozes, your eyes are red, dry and hurt. Still, you read on, and participate in the debate. You don't recognize your odd behavior. There's a sequel reply injected into your brain. It's a slash dot sequel brain virus injection. There's no cleaning utility, you will need to reformat your brain.

    --
    Build your own energy sources from scratch. http://otherpower.com/
  4. Re:Lemme be the first to say by pooh666 · · Score: 3, Funny

    I remember that Perl was not too good for web programming. It was unstable in a sense that variables sometimes got strange values inexplicably.

    Perhaps less(or more) drinking would help?

  5. Re:Use a persistence library by TheSunborn · · Score: 2, Funny

    IT's very simple. Don't use any of the mysql_* functions.

    Use the PDO prepare function (http://dk2.php.net/manual/en/pdo.prepare.php) and remember newer to pass any input you got from the user directly into the string you give to prepare.

    In most cases(99%) the string you give to the prepare function should really be constant and not depend on user input at all.