SlideShare is now on Android. 15 million presentations at your fingertips.  Get the app

×
  • Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

Sql Injection Myths and Fallacies

by on Apr 15, 2010

  • 62,898 views

...


The most massive crime of identity theft in history was perpetrated in 2007 by exploiting an SQL Injection vulnerability. This issue is one of the most common and most serious threats to web application security. In this presentation, you'll see some common myths busted and you'll get a better understanding of defending against SQL injection.

Statistics

Views

Total Views
62,898
Views on SlideShare
57,033
Embed Views
5,865

Actions

Likes
75
Downloads
1,486
Comments
9

50 Embeds 5,865

http://ovm-kassel.eu 2581
http://ovm-kassel.net 1692
http://www.websdeveloper.com 325
http://www.slideshare.net 247
http://dll.lv 232
http://nwlinux.com 215
http://my.bergersoft.net 154
http://demlaip.wordpress.com 56
http://kyaiz.wordpress.com 43
http://kerika.net 42
http://www.berejeb.com 40
http://khishigee.miniih.com 36
http://www.khishigee.miniih.com 33
http://www.matsuyuku.com 30
https://twitter.com 15
http://a0.twimg.com 13
https://groupereflect.bluekiwi.net 11
http://sjaswinder.blogspot.com 9
http://localhost 8
http://www.devetdesign.com 7
http://lernen20.de 7
http://www.ovsa.fr 7
http://www.techgig.com 7
http://gsmental.blogspot.in 7
http://lernmix.de 6
http://translate.googleusercontent.com 5
http://www.linkedin.com 5
http://chirag.dreamworldsolutions.com 3
http://localhost:49234 3
http://gsmental.blogspot.com 3
http://www.google.com 2
http://hml-monqi.monqi.com.br 2
https://twimg0-a.akamaihd.net 2
https://190.96.167.74 1
http://chandresh.dreamworldsolutions.com 1
http://rbucky.com 1
http://www.blogger.com 1
http://paper.li 1
http://www.scoop.it 1
https://devbbapp3.nku.edu 1
http://lms.ipa.edu.sa 1
http://buckycomputing.net 1
http://www.miniih.com 1
http://sjaswinder.blogspot.in 1
http://webcache.googleusercontent.com 1
http://www.tumblr.com 1
https://si0.twimg.com 1
http://mayur.dreamworldsolutions.com 1
http://bharat.dreamworldsolutions.com:8085 1
https://drive.jolicloud.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via SlideShare as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

19 of 9 previous next Post a comment

  • JonathanSkeet Jonathan Skeet While I agree with the limitations of parameters (can't be used for table names, ordering etc) it feels like it's a different level of 'not a fix' to the others (such as escaping). Unless I'm wrong - and I'm *not* a database expert - query parameters really are *the* way to go in situations where they're applicable (i.e. when you don't need to dynamically choose the table name, build a list etc). There aren't all the 'gotchas' to be really careful with that there are with escaping (which always feels like a losing battle to me).

    Of course there are other benefits of query parameters anyway - simpler to read SQL and avoiding error-prone conversions (especially for date/time types) for example.

    Is this a fair statement, or are there downsides to query parameters beyond the limitations? The good part of the limitations is that when you bump into them, you *know* you've bumped into them, because the query simply doesn't work - so with query parameters you're either working safely, or you're broken. Again, that's assuming I'm not missing something.
    1 month ago
    Are you sure you want to
    Your message goes here
    Processing…
  • tomexsans Tomex Evaristo the 20th slide, story of my life 11 months ago
    Are you sure you want to
    Your message goes here
    Processing…
  • dilip-borad dilip-borad very good 1 year ago
    Are you sure you want to
    Your message goes here
    Processing…
  • vcs023 Varun Saxena, mira road at MUMBAI Awesome PPT and very knowledgeable 1 year ago
    Are you sure you want to
    Your message goes here
    Processing…
  • wimdesaegher Wim De Saegher Slide 27 - Why does QueryAnyTable have a table_name IN parameter when we pass the 'SELECT * FROM' to the procedure? Won't that execute 'SELECT * FROM SELECT * FROM ...' ? 2 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • wimdesaegher Wim De Saegher Slide 12 - did you forget the escape the second special character, right before the 1 ? 2 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • billkarwin Karwin Software Solutions LLC at Karwin Software Solutions LLC Updated presentation with new content, after giving the talk at ZendCon 2010 in Santa Clara. Enjoy! 3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • gacdfm10 gacdfm10 Much to my discomfort I discovered I had believed a couple of those myths. I thought this presentation would be something of a review for me -- always a good thing too for security -- but instead it was something even more valuable.

    There certainly will be changes in how I do things, based on what I learned here.
    3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • dthomson1 dthomson1 Excellent and eye-opening presentation. Made me realize that my own techniques for safe SQL were quite inadequate. It helped to not just know what to avoid but why, as in the in-depth discussion of what actually happens during a prepare statement and why it makes a difference. I came away with a number of things that I'm doing that need to be changed, and a whole other set of things that I'm not doing that I plan to start. Thanks! 3 years ago
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Sql Injection Myths and Fallacies Sql Injection Myths and Fallacies Presentation Transcript