{"id":125,"date":"2009-02-16T13:48:04","date_gmt":"2009-02-16T18:48:04","guid":{"rendered":"http:\/\/mikeconley.ca\/blog\/?p=125"},"modified":"2023-12-20T16:25:22","modified_gmt":"2023-12-20T21:25:22","slug":"preventing-sql-injection-attacks","status":"publish","type":"post","link":"https:\/\/mikeconley.ca\/blog\/2009\/02\/16\/preventing-sql-injection-attacks\/","title":{"rendered":"Preventing SQL Injection Attacks"},"content":{"rendered":"<p>Over the reading week, along with studying for various midterms and assignments, I&#8217;ve decided to brush up on preventing SQL Injection attacks in web applications.<\/p>\n<p>Pretty scary\/awesome stuff out there on this stuff.\u00a0 <a href=\"http:\/\/www.hackthissite.org\" target=\"_self\" rel=\"noopener\">Here&#8217;s a great place to get some SQL Injection training<\/a>, and <a href=\"http:\/\/ferruh.mavituna.com\/sql-injection-cheatsheet-oku\/\" target=\"_self\" rel=\"noopener\">here&#8217;s an excellent SQL Injection cheat sheet<\/a>.<\/p>\n<p>I got hit with a pretty bad SQL Injection attack last summer on an application I had written 3 years ago (before I had any clue that SQL Injection attacks were possible).<\/p>\n<p>Here&#8217;s the take home message:\u00a0 <strong>never trust user input.\u00a0 Ever. <\/strong>If you&#8217;re expecting an int, make sure it&#8217;s an int.\u00a0 <strong>Never insert user input directly into an SQL string.<\/strong> Use prepared statements instead, or stored procedures.<\/p>\n<p>Luckily, I just did a quick survey of all of my running apps, and I seem to be OK in terms of SQL Injection.\u00a0 Still, it&#8217;s a common attack vector &#8211; and the consequences of being lazy on user input can be pretty awful.<\/p>\n<p><strong>Update: <\/strong> Want to see something awesome?\u00a0 <a href=\"http:\/\/www.milw0rm.com\/video\/watch.php?id=92\" target=\"_self\" rel=\"noopener\">Check this out &#8211; a Debian box gets rooted through MySQL injection&#8230;killer soundtrack too.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over the reading week, along with studying for various midterms and assignments, I&#8217;ve decided to brush up on preventing SQL Injection attacks in web applications. Pretty scary\/awesome stuff out there on this stuff.\u00a0 Here&#8217;s a great place to get some SQL Injection training, and here&#8217;s an excellent SQL Injection cheat sheet. I got hit with [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5,44,10,51],"tags":[55,1210,1211,52,53,54],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-computer-science","category-internet","category-php","category-security","tag-hacking","tag-internet","tag-security","tag-sql","tag-sql-injection","tag-web-applications"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/prmTy-21","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/mikeconley.ca\/blog\/wp-json\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikeconley.ca\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikeconley.ca\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikeconley.ca\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/mikeconley.ca\/blog\/wp-json\/wp\/v2\/comments?post=125"}],"version-history":[{"count":5,"href":"https:\/\/mikeconley.ca\/blog\/wp-json\/wp\/v2\/posts\/125\/revisions"}],"predecessor-version":[{"id":3275,"href":"https:\/\/mikeconley.ca\/blog\/wp-json\/wp\/v2\/posts\/125\/revisions\/3275"}],"wp:attachment":[{"href":"https:\/\/mikeconley.ca\/blog\/wp-json\/wp\/v2\/media?parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikeconley.ca\/blog\/wp-json\/wp\/v2\/categories?post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikeconley.ca\/blog\/wp-json\/wp\/v2\/tags?post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}