12:18 SQL injection | |
Category: design This vulnerability allows an attacker to change the query to the database, using the input data. Using this vulnerability, an attacker can choose from the base data is not provided by the developer (which would allow, for example, enter the administrative interface without knowing the password) or to replace data in the database (for example, to delete some or table or replace the tests). Typically, this vulnerability is eliminated by screening the data when building the query. In this context it is highly desirable initially to remove the ability to access database directly from your code, and to work with the database only through a special library, automatically performs the necessary conversions. Can not keep and will let a little ray of hatred. Once in our site, one party's office screwed up a service, these nice guys sent us a letter which asked for access to the database, to make a general authorization. On this proposal, we responded to an angry denial and authentication scheme, equipped with appropriate redirects and EDS. In response, they complained to our boss, to what we are still paranoid and saboteurs, resulting in the integration of users moved to "someday", and decided to start this whole thing "yet-so." What was my surprise when driving a password in the single quote at the subsite made these "Knights without fear and without reproach," I got a joyful message about sql error. A special poignancy attached to the fact that the system periodically gave out in case of error nicely formatted chunks of code, one of whom was found the comment "Kohl WTF". | |
|
Total comments: 0 | |