NEWS CATEGORIES:

NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>

Home / News / Webmaster / Tips and Tricks

Tips and Tricks

Web Attacks Through SQL Injection

A New Solution to Increase SQL Based Applications Security

By Catalin Bocanu, Web News Editor

28th of January 2008, 17:00 GMT

Adjust text size:

Example of an application based on MySQL Database

The management of relational databases is performed by using SQL (Structured Query Language) that helps
you to manipulate data inside a collection of tables. Practically, at the web level, SQL

language represent the bridge of communication between a web application and a database. In the same manner, the user interacts with the database at a certain point in a given database driven application.

SQL injection represents a hacking method that is based on the security vulnerabilities of web applications having a database backend. It has many implementation forms and basically it consists of malicious SQL code (or non-intended to be used in a given application) that, after execution, could determine the complete destruction of a database, the revealing of secret informations from the database records and more.

The most vulnerable to SQL injection attacks are web forms. For example, if next SQL code is used in a login system, a username could be selected from the usersname table due to the fact that the boolean value of the code 'a'='a' is true in any situation:

CODE

SELECT * FROM usersname WHERE name = 'John' OR 'a'='a';

In the case presented earlier, a hacker could bypass the authentication system or even more, to compromise the database with a DROP TABLE statement. Fortunately, solutions to increase the general security of web applications back-ended with relational databases exist.

Martin Bravenboer presents a new methods to avoid the security leaks in database driven applications in his Ph.D. Thesis entitled "Exercises in Free Syntax-Syntax Definition, Parsing, and Assimilation of Language Conglomerates". The techniques of totally removal of the SQL insecurities is based on the usage of an API (application programming interface) in combination with easy strings manipulation.

The method of embedding the syntax of SQL language into a host language like Java or PHP is generalized for many pairs host-guest type programming languages. The content of the Ph.D thesis is available on-line as PDF document and can help you to better understand the mechanisms of SQL injection and respectively the recommended coding procedures.

TAGS:	SQL Injection \| Database Security \| SQL Tutorial \| Web Applications Security \| Database Driven Applications	SHARE THIS
Read by 1,468 user(s) \| Add comment \| Link to this article		TWEET THIS

Article rating:

Fair (2.6/5)

8 vote(s)

Subscribe to news |

Print article |

Send to friend

SEARCH THE NEWS ARCHIVE :

Today's News | Yesterday's News | News Archive

User opinions:

No user comments yet.

Be the first to express your opinion using the form below!

Share your opinion:

SUBMIT PROGRAM \| ADVERTISE \| GET HELP \| SEND US FEEDBACK \| RSS FEEDS \| ENTER NEWS SITE \| ENGLISH BOARD \| ROMANIAN FORUM
© 2001 - 2009 Softpedia. All rights reserved. Softpedia® and the Softpedia® logo are registered trademarks of SoftNews NET SRL.	Copyright Information \| Privacy Policy \| Terms of Use \| Update your software \| Archive