| John Ashmead on 22 Sep 2007 14:16:25 -0000 |
|
Exactly two weeks from today, 10/6 at 10:30am, the Macintosh Programming SIG (MPSIG) will be doing "How to destroy a database!" with myself assisted by Walt Mankowski & of course the screams of the terrified audience! This all comes of Rich Morby's talk at the last MPSIG. He was using some SQL to get at a MySQL database & we got into a discussion of how to protect your database from malicious outsiders. It is all too easy for someone who is a friend neither to you nor to civilization to get control of your database using SQL Injection and other fiendish tricks. Example, you ask for the user's password in a form. He types, vile & degraded cad that he is, the following into the password field: dummy_password';select * from passwords;' Your code puts this into the following string ($ means variable): select count(*) from passwords where user = '$user' and password = '$password' which turns into: select count(*) from passwords where user = 'vile_and_degraded_cad' and password = 'dummy_password';select * from passwords;'' Your code says 1) count = 0, so vile_and_degraded_cad is not a recognized user (yet) and 2) (if you are unlucky) prints the entire password list to the screen. By sneaking an apostrophe and a semi- colon into his password, to close off the previous SQL statement, and then putting a new SQL statement in, Mr. V. N. D. Cad has succeeded in executing two SQL statements for the price of one. And think what he could do if he made the second SQL an "insert" or a "delete"! Of course this was a very simple example & might not work in practice. But more sophisticated ones can and do. So this is what we are going to discuss: some simple ways to hack into a database, what to do to prevent them, and where to go for more information. Walt made the mistake of chiming in with some comments so he got volunteered to help with the talk. I'd like to thank Rich for a really good talk last time: this was only one of the interesting points that came up in his perl/Mac talk! And I thank Deivy for suggesting that SQL Injection would itself be a good subject for a talk. Note: new date & time: we are meeting October 6th at 10:30am at Cheyney University, in the Duckery social sciences building room #117 (fun map by the way: if you select Duckery on the right, the building starts to flash). Deivy has arranged for us to have this space & he will be waiting for people (thanks Deivy!). We'll start with Q & A then move onto the talk proper at about 10:45 or 10:50, which will be informal: we'll have some slides but leave plenty of time for back & forth. We'll run about two hours, more or less. I'd like to extend the heart felt thanks of MPSIG to MLMUG for their space for the last few months! and especially to Eugene Coggins, who has done a great job of prepping our space. One of the advantages of moving back to the first Saturday of the month is that we will now be able to catch the other SIGS at MLMUG and be able to run over time a bit without cutting into the next talk. See you in 14 days, Cheers, John John Ashmead Ashmead Software & Consulting, Inc. 139 Montrose Avenue Rosemont, PA 19010-1508 (610) 527 9560 fax (610) 527 4640 john.ashmead@ashmeadsoftware.com http://www.ashmeadsoftware.com/
|
|