Anatomy of a SQL Injection Attack 267
Trailrunner7 writes "SQL injection has become perhaps the most widely used technique for compromising Web applications, thanks to both its relative simplicity and high success rate. It's not often that outsiders get a look at the way these attacks work, but a well-known researcher is providing just that. Rafal Los showed a skeptical group of executives just how quickly he could compromise one of their sites using SQL injection, and in the process found that the site had already been hacked and was serving the Zeus Trojan to visitors."
Los's original blog post has more and better illustrations, too.
A cautionary tale' OR 1=1 (Score:5, Funny)
...for these modern times.
Obligatory xkcd (Score:4, Funny)
http://xkcd.com/327/ [xkcd.com]
Re:Obligatory xkcd (Score:5, Funny)
Re:Obligatory xkcd (Score:1, Funny)
Select TOP 1 as bestever from t_XKCD where id = thisone
Slash Dot Virus Sequel Injected in You (Score:5, Funny)
Re:Lemme be the first to say (Score:4, Funny)
I remember that Perl was not too good for web programming. It was unstable in a sense that variables sometimes got strange values inexplicably.
Perhaps less(or more) drinking would help?
Re:Use a persistence library (Score:3, Funny)
IT's very simple. Don't use any of the mysql_* functions.
Use the PDO prepare function (http://dk2.php.net/manual/en/pdo.prepare.php) and remember newer to pass any input you got from the user directly into the string you give to prepare.
In most cases(99%) the string you give to the prepare function should really be constant and not depend on user input at all.
Re:Obligatory xkcd (Score:1, Funny)
You win.