Jaqui Greenlees

This exploit is caused by one thing and one thing only: script author’s screwup.
Any website script that does not, by default, treat all site visitor input as dangerous is vulnerable to such an attack.

The only thing that can be done is to use scripts that do not pass SQL from within a users post to the database engine, it should instead mark such as code or a quote and put it into the database as text in the “comment” section of the table when the page displays, the user attempt to exploit the database engine by injection SQL is shown in the post, rather than actually being processed by the database engine. This, along with server logs, can be used as evidence in a court of law for the user’s attempted criminal activity. It also will very quickly stop others from attempting the same thing, as they can see that the attempt with fail and be publicly displayed as such.

This entry was posted on Tuesday, April 8th, 2008 at 11:52 am and is filed under Internet Security, Software Development, Website Development, Website Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.