Monday, February 04, 2008

Who needs SQL injection?

I - probably like many of you - thought the prevention of SQL injection (the passing of additional SQL statements through the parameters of dynamic SQL calls) was the low hanging fruit of web app security. Not at all. This latest post from The Daily WTF really takes database (in)security to another level.

1 comment:

Noons said...

it will never cease to amaze me how many sites have got their web server and app server in the same node, in the DMZ.

And then proceed to connect the app server to a db over a non-encrypted SQL*Net connection.
T
akes a hacker about ten seconds to fish out all strings from the Net packets, including connection passwords.

But what is important is to patch the db against "known vulnerabilities"...