2006-07-11 07:47:31 · 4 answers · asked by New User 1 in Computers & Internet ➔ Programming & Design
To offer other prevention tips:
If you are using PHP to talk to MySQL there is a new extension in PHP 5.1.x called PDO. This extension allows you to prepare statements doing something like:
$SQL = "select * from foo where column1 = ?"
$stmt = $PDOconnection->prepare($SQL);
$stmt->execute(array($var));
PDO will parse the $var variable in such a way as to prevent SQL injection.
2006-07-11 10:13:11 · answer #1 · answered by John J 6 · 0⤊ 0⤋
SQL injection happens because newbie web app developers write things like this in their code
"SELECT * FROM myTble WHERE field = " + myFieldVar
So then a clever cracker realizes that the myFieldVar is retrieved from an input form of the URL parameters like
myapp?myvar=blue
Then they substitute the data with something like
"; DROP TABLE myTble"
and wham! Your DB table is gone because you learned web app developing from some 21 Dummy Days book.
So the lesson here is to at the very least validate ALL input to a SQL statement, but better yet, use stored procedures.
There are classes in most Web App environments like ASP.NET and Java and PHP that are SQL Statement classes that will construct a safe SQL expression for your and check the input.
Never construct a SQL statemtent by concatenating strings.
2006-07-11 08:15:01 · answer #2 · answered by Anonymous · 0⤊ 0⤋
SQL injection is basically a security vulnerability that occurs in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
In other words, it is a way to exploit (or steal) data from SQL databases. It's sort of like a trojan.
If you want to read more about it, try this article:
http://en.wikipedia.org/wiki/SQL_injection
PS My explanation came mostly straight from the Wikipedia article, since it explains it much better than I can. =)
2006-07-11 07:50:02 · answer #3 · answered by Tech_Geek 2 · 0⤊ 0⤋
On a respond to the interest above, that you need to surely shop pics in databases with the column style "blob", inspite of the actuality that that you'll be able to base64_encode the imade to conver to a string and then shop as a VARCHAR or textual content fabric.
2016-12-10 08:01:17 · answer #4 · answered by ? 4 · 0⤊ 0⤋