SQL Injection

• Concept“attacks that result from failing to validate input including portions of SQL statements in a web form entry field in an attempt to pass a newly formed rogue SQL command to the database.”

• Description and examples

  • PHP manual on SQL injection with examples, see also OWASP.
  • Imperva video demonstration of SQL injection
  • SQL Injection Cheat Sheet: code for MySQL, MS SQL, Oracle

• Scanning and mitigation

  • Business scanners and free scan tool
  • Mitigation: sanitation, PHP mysql escape function and validation.
  • References: more in validation, MS library, ASSIST, parse tree validation.

Previous slide

Next slide