On Tuesday 13 December 2005 02:25, Peter Lauri wrote: > Best group member, > > > > How can I prevent people from hijacking a query? I read this in an article > about a few months ago, but now I can not find that article again. This > question is maybe not so exact, and I do not know how risky it is to not > protect your system from database hijackers?
I believe what you're referring to are SQL Injection Attacks. Hypothetical scenario: You have a web script that runs some SELECT queries against a table. One day, a malicious user happens to be using the site when an SQL error occurs, and your table/database name is displayed to them. They change the content of a search box (or any other field in the web script that gets used directly in the query) to something like 1;'drop table mytable;' . Your script, which just so happens to have drop privs, happily executes a double query - the first part being what you wanted it to do, the second part being the drop table. There goes all of your data. The methods to defeat this, to the best of my knowledge, include limiting the privileges of the web script user (or any user) to only do what they need to do. So if the script only needs to select data, don't give it any rights other than select, and if possible, only select on the tables it needs. The other damage limitation option is to validate all of your input. I use quoting on all fields, including integers, and in some fields I also use the HTML conversion functions to convert " to " etc. -- Critical Software. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
