RSS

Category Archives: Uncategorized

SQL Injection

sqli

SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQLstatements (also commonly referred to as a malicious payload) that control a web application’s database server. Such attack affects any website or web application.

An attacker can bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL injection can also be used to add, modify and delete records in a database.

In a 2012 study, it was observed that the average web application received 4 attack campaigns per month, and retailers received twice as many attacks as other industries.

A SQL injection needs two conditions to exists :

  • A relational database that uses SQL
  • A user controllable input which is directly used in an SQL query.

Subclasses of SQLi –

  1. Classic SQLi
  2. Blind or Inference SQLi
  3. Database management system-specific SQLi
  4. Compounded SQLi

Example—

sql-example-1

Here user need to provide user name and password, if attacker provides ‘or 0=0’ as the username and password then the query will be like this.

sql-example-3

Since the inputs provided by the attacker are valid in all circumstances, the query will return all records in the database.

And by this way an attacker will be able to view the sensitive information.

How to prevent SQLi—

  • Adopt an input validation technique where user input is checked against a set of rules.
  • Users should have least privileges on the database.
  • Don’t use ‘SA’ accounts for web applications.
  • Need to have application specific database user accounts.
  • Remove all stored procedures which are not in use.

————–

 
 

The Countdown of SQL Gulf event is started , 2 days remaining

Dear;

 

The Countdown of SQL Gulf event is started and there are still limited seats so please don’t wait and go directly for registration to secure your seat ,you can find also the event schedules on Microsoft technical communities and Microsoft Curah as follows:

https://www.technicalcommunity.com/Events/EventDetails.aspx?eventid=648e7e55-f2dc-4445-abce-875016d9633d

https://curah.microsoft.com/186402/sql-gulf-1-event-at-riyadh-on-3082014

 

SQLGULF

 
Leave a comment

Posted by on August 28, 2014 in Uncategorized

 

My blog {Database (SQL Server , Oracle) World }Status

Untitled3

Untitled

 
Leave a comment

Posted by on December 25, 2012 in Uncategorized