Page 2 of 2
Re: Is there anyone can tell me about sql injection?
Posted: Wed Jun 24, 2009 5:59 am
by kaisellgren
It seems to me that you want to be a professional football player who does not even know the rules yet. How about you first learn PHP and SQL for one year at least? You must learn things pretty much step by step...
Learn as many languages as possible and learn them as well as possible... if you know PHP, then you can be a security expert in that area.
Re: Is there anyone can tell me about sql injection?
Posted: Wed Jun 24, 2009 6:14 am
by goldensparrow
thank you very much everyone for your advice
Re: Is there anyone can tell me about sql injection?
Posted: Sun Jun 28, 2009 9:09 am
by Sephern
It depends what type of security you wish to learn. If you want to make sure that you're websites are safe, then you should learn about web security, and the techniques you are using to build your site.
For example, if you are using PHP, you should learn all of the functions you are using inside out. This will then mean that you should be able to identify any vulnerabilities.
For example, if you are using PHP and Mysql, then you should be aware that you can use PHP to execute querys directly to the database. You should also be aware that the user can input data directly into the database.
Wherever a user can directly input data into your system, there is a potential security vulnerability. By putting in quotation marks and such, a user can fool your SQL query, and modify it to their needs.
If you are using PHP and Mysql to search through the database, then you should be wary of making sure your search does not parse HTML, and if it does, it doesn't show the search query on the result page.
For example - I have a search bar. When I type in data, it searches the database for it, and returns the results. At the top of the page, it says "You searched for" and whatever query I put in the box.
Now, if I typed in that box '<b>hello</b>' It would return any results with that data, and at the top it would say
"You searched for hello"
Now, this may not seem like a problem, as it is only local editing, but a user could put in all manner of html/javascript querys and return with data. It presents a quite significant phishing risk.
In summary, get to know whatever you are coding, and any common vulnerability's to look out for, and watch out anywhere that a user can enter data.
Remember as well, that no matter how hard you try, there is likely to always be a person who can get around any defences you put in place. Whether it's an error with your code, someone elses, or how the servers set up, you are almost always at risk from people who really know what they are doing. "Security is no more than an illusion"
Re: Is there anyone can tell me about sql injection?
Posted: Tue Jun 30, 2009 3:15 am
by goldensparrow
Sephern thank you very much