 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |
| By N2H | ||||||||||||||||||||||
SQL injection attack
December 18, 2009
SQL injection attack uses malicious code to take advantage of security vulnerability in a database or web based applications. These attacks are carried out using sql commands and can have serious implications like controlling the sql server or elevating their privileges thus controlling the database with an administrator’s privilege allowing one to add, edit and even drop tables. (http://www.stardeveloper.com/articles/display.html?article=2008112501&page=1)
An Sql attack can be prevented by implementing sanitization techniques such as defining what type of value is expected and using functions like replace(str, “’”, ”””) when expecting a string value as user input or getsecureval(cstr(param),”’”, “””) when accepting user input from cookies. Both these methods will replace any single apostrophe entered by sql injection attacks to a double quote thereby producing an error.
one can also use the Clng() when expecting numeric values to be entered by the user, this converts the user input into numeric by first analyzing if it can be converted, if malicious code is put instead will it produce an error.Most web developers tend to focus more on security holes of the operating system or the web server that the website will run on forgetting the programming language like sql used to develop the database of that website.
Comments
Got something to say?
-
Recent Posts
- TCP vs UDP
- Rootkits
- SQL injection attack
- Security policy: standards, guidelines and procedures
- Symmetric key Vs Asymmetric encryption
- Intrusion detection system Vs Intrusion prevention systems
- Factors influencing FAR & FRR in Biometrics
- Authentication methods
- How project scope contributes to project success
- Reasons for decomposing a project
Powered by FireStats