2 cissp ® Official Study Guide Eighth Edition



Download 19,3 Mb.
Pdf ko'rish
bet872/881
Sana08.04.2023
Hajmi19,3 Mb.
#925879
1   ...   868   869   870   871   872   873   874   875   ...   881
Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

SQL Injection Attacks 
SQL injection attacks allow a malicious individual to directly perform SQL transactions 
against the underlying database, in violation of the isolation model shown in Figure 21.2 . 
For more on databases and SQL, see Chapter 20.
In the example used earlier, a bank customer might enter an account number to gain 
access to a dynamic web application that retrieves current account details. The web 


Web Application Security 
939
application must use a SQL query to obtain that information, perhaps of the following 
form, where 

is the account number provided by the user on the web form:
SELECT *
FROM transactions
WHERE account_number = ''
There’s one more important fact you need to know: Databases will process multiple SQL 
statements at the same time, provided that you end each one with a semicolon.
If the web application doesn’t perform proper input validation, the user may be able to 
insert their own SQL code into the statement executed by the web server. For example, if 
the user’s account number is 145249, they could enter the following:
145249'; DELETE * FROM transactions WHERE 'a' = 'a
The web application would then obediently plug this into the 

field in the ear-
lier SQL statement, resulting in the following:
SELECT *
FROM transactions
WHERE account_number ='145249'; DELETE * FROM transactions WHERE 'a' = 'a'
Reformatting that command slightly, you get the following:
SELECT *
FROM transactions
WHERE account_number ='145249';
DELETE *
FROM transactions
WHERE 'a' = 'a'
This is a valid SQL transaction containing two statements. The first one retrieves the 
requested information from the database. The second statement deletes all the records 
stored in the database. Whoops!

Download 19,3 Mb.

Do'stlaringiz bilan baham:
1   ...   868   869   870   871   872   873   874   875   ...   881




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish