Re: Hijackers?

Tue, 13 Dec 2005 09:46:39 -0800 

Duncan Hill wrote:


On Tuesday 13 December 2005 02:25, Peter Lauri wrote:

Best group member,



How can I prevent people from hijacking a query? I read this in an article
about a few months ago, but now I can not find that article again. This
question is maybe not so exact, and I do not know how risky it is to not
protect your system from database hijackers?


I believe what you're referring to are SQL Injection Attacks.

Hypothetical scenario:
You have a web script that runs some SELECT queries against a table. One day, a malicious user happens to be using the site when an SQL error occurs, and your table/database name is displayed to them. They change the content of a search box (or any other field in the web script that gets used directly in the query) to something like 1;'drop table mytable;' . Your script, which just so happens to have drop privs, happily executes a double query - the first part being what you wanted it to do, the second part being the drop table. There goes all of your data.
The methods to defeat this, to the best of my knowledge, include limiting the privileges of the web script user (or any user) to only do what they need to do. So if the script only needs to select data, don't give it any rights other than select, and if possible, only select on the tables it needs. The other damage limitation option is to validate all of your input. I use quoting on all fields, including integers, and in some fields I also use the HTML conversion functions to convert " to " etc. 


I found this helpful:
http://www.unixwiz.net/techtips/sql-injection.html

--
Bill Dodson
Parkline, Inc. http://www.parkline.com
phone: 304-586-2113 x149
fax: 304-586-3842
email: [EMAIL PROTECTED]


Email Disclaimer

The information in any email is confidential and may be legally privileged. It 
is intended solely for the addressee. Access to the email message by anyone 
else is unauthorized. If you are not the intended recipient, any disclosure, 
copying, or distribution of the message, or any action or omission taken by you 
in reliance on it, is prohibited and may be unlawful. If you have received an 
email message in error, please notify the sender immediately by email, 
facsimile or telephone and return and/or destroy the original message.

Thank you.


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/[EMAIL PROTECTED]

Reply via email to