Over the reading week, along with studying for various midterms and assignments, I’ve decided to brush up on preventing SQL Injection attacks in web applications.
Pretty scary/awesome stuff out there on this stuff. Here’s a great place to get some SQL Injection training, and here’s an excellent SQL Injection cheat sheet.
I got hit with a pretty bad SQL Injection attack last summer on an application I had written 3 years ago (before I had any clue that SQL Injection attacks were possible).
Here’s the take home message: never trust user input. Ever. If you’re expecting an int, make sure it’s an int. Never insert user input directly into an SQL string. Use prepared statements instead, or stored procedures.
Luckily, I just did a quick survey of all of my running apps, and I seem to be OK in terms of SQL Injection. Still, it’s a common attack vector – and the consequences of being lazy on user input can be pretty awful.
Update: Want to see something awesome? Check this out – a Debian box gets rooted through MySQL injection…killer soundtrack too.
Ping me Thursday, and I’ll give you a book on preventing SQL injection.
Deal.