Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pengantar Keamanan Informasi

Published byHannah Cummings Modified over 6 years ago

Similar presentations

Presentation on theme: "Pengantar Keamanan Informasi"— Presentation transcript:

1 Pengantar Keamanan Informasi
Week 12-SQL Security

2 An Example SQL Injection Attack
Product Search: This input is put directly into the SQL statement within the Web application: $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” . $_POST[‘prod_search’] . “’”; Creates the following SQL: SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ = ‘x’ Attacker has now successfully caused the entire database to be returned. blah‘ OR ‘x’ = ‘x

3 A More Malicious Example
What if the attacker had instead entered: blah‘; DROP TABLE prodinfo; -- Results in the following SQL: SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP TABLE prodinfo; --’ Note how comment (--) consumes the final quote Causes the entire database to be deleted Depends on knowledge of table name This is sometimes exposed to the user in debug code called during a database error Use non-obvious table names, and never expose them to user Usually data destruction is not your worst fear, as there is low economic motivation

4 Other injection possibilities
Using SQL injections, attackers can: Add new data to the database Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site Perform an INSERT in the injected SQL Modify data currently in the database Could be very costly to have an expensive item suddenly be deeply ‘discounted’ Perform an UPDATE in the injected SQL Often can gain access to other user’s system capabilities by obtaining their password

5 Defenses Use provided functions for escaping strings
Many attacks can be thwarted by simply using the SQL string escaping mechanism ‘  \’ and “  \” mysql_real_escape_string() is the preferred function for this Not a silver bullet! Consider: SELECT fields FROM table WHERE id = 23 OR 1=1 No quotes here!

6 More Defenses Check syntax of input for validity
Many classes of input have fixed languages addresses, dates, part numbers, etc. Verify that the input is a valid string in the language Sometime languages allow problematic characters (e.g., ‘*’ in addresses); may decide to not allow these If you can exclude quotes and semicolons that’s good Not always possible: consider the name Bill O’Reilly Want to allow the use of single quotes in names Have length limits on input Many SQL injection attacks depend on entering long strings

7 Even More Defenses Scan query string for undesirable word combinations that indicate SQL statements INSERT, DROP, etc. If you see these, can check against SQL syntax to see if they represent a statement or valid user input Limit database permissions and segregate users If you’re only reading the database, connect to database as a user that only has read permissions Never connect as a database administrator in your web application

8 More Defenses Configure database error reporting
Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.) Configure so that this information is never exposed to a user If possible, use bound variables Some libraries allow you to bind inputs to variables inside a SQL statement PERL example (from injection.html) $sth = $dbh->prepare("SELECT , userid FROM members WHERE = ?;"); $sth->execute($ );

9 Terima Kasih

Download ppt "Pengantar Keamanan Informasi"

Similar presentations

Understand Database Security Concepts

Understand Database Security Concepts
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Structured Query Language - SQL Carol Wolf Computer Science.

Structured Query Language - SQL Carol Wolf Computer Science.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
DT211 Stage 2 Databases Lab 1. Get to know SQL Server SQL server has 2 parts: –A client, running on your machine, in the lab. You access the database.

DT211 Stage 2 Databases Lab 1. Get to know SQL Server SQL server has 2 parts: –A client, running on your machine, in the lab. You access the database.
Structured Query Language SQL: An Introduction. SQL (Pronounced S.Q.L) The standard user and application program interface to a relational database is.

Structured Query Language SQL: An Introduction. SQL (Pronounced S.Q.L) The standard user and application program interface to a relational database is.
Creating Web Page Forms

Creating Web Page Forms
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
+ Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security At 9:10, you’ll have 15 minutes to do on- line student.

+ Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security At 9:10, you’ll have 15 minutes to do on- line student.
EC500 Lecture Made By: Jiaxi Jin, Rashmi Shah, Ludovico Fontana Boston University.

EC500 Lecture Made By: Jiaxi Jin, Rashmi Shah, Ludovico Fontana Boston University.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
PHP Security.

PHP Security.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
Chapter 5 Introduction to SQL. Structured Query Language = the “programming language” for relational databases SQL is a nonprocedural language = the user.

Chapter 5 Introduction to SQL. Structured Query Language = the “programming language” for relational databases SQL is a nonprocedural language = the user.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

Similar presentations

Ads by Google