Home » Other » General » SQL injection
SQL injection [message #449325] Mon, 29 March 2010 03:54 Go to next message
Littlefoot
Messages: 21806
Registered: June 2005
Location: Croatia, Europe
Senior Member
Account Moderator
Now and then we come to "SQL injection" term (just like in this topic). Wikipedia talks about real world examples, but - did any of you, personally, ever deal with it? If so, could you say a word or two about it?
Re: SQL injection [message #449334 is a reply to message #449325] Mon, 29 March 2010 04:11 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Shame on me, I was the target of such injection in one of my php page (on test machine before it was in production, hopefully) during an audit because I didn't use a bind variable in one query (displaying execution plan from a SQL id); after several tries the auditor succeeded to add "UNION SELECT CONCAT(name,CONCAT(' - ',password)) FROM sys.user$" in this query executed by a user having "select any dictionary" privilege and receive the list of all accounts with password hash value.

Regards
Michel
Re: SQL injection [message #449437 is a reply to message #449334] Mon, 29 March 2010 09:27 Go to previous messageGo to next message
ThomasG
Messages: 3211
Registered: April 2005
Location: Heilbronn, Germany
Senior Member
Not of a malicious one. But some of the applications that I inherited had some problems in that direction.

I basically ran into failed transactions in some interfaces when stock items or customers (like "Tony's Bar" for example) had single quotes (or apostrophes) in them.


Re: SQL injection [message #449600 is a reply to message #449437] Tue, 30 March 2010 14:39 Go to previous message
Littlefoot
Messages: 21806
Registered: June 2005
Location: Croatia, Europe
Senior Member
Account Moderator
Thank you, both of you.

It appears that people didn't see much of SQL injection. Or, they don't want to talk about it.

Moreover, I guess that one has to be an expert in order to be able to recognize a chance of injecting and, finally, know how to do that.

OK then; it would be nice to hear another stories, if someone is willing to share.
Previous Topic: Moving into Java need advice
Next Topic: Oracle 10g Maintenance
Goto Forum:
  


Current Time: Thu Mar 28 03:30:16 CDT 2024