MySQL Forums
Forum List  »  Security

Code Injection
Posted by: David Donahue
Date: August 24, 2005 12:24PM

I have a website that stores/retrieves much of its data from a MySQL backend. There are a handful of forms on the site where users can enter data (a comments page, a FAQ page, etc.) that gets stored in the database. It recently occurred to me that there could be a security hole in my implementation of this.

At the moment, the text that is entered into a field would be built directly into an INSERT statement and executed on the database. Assuming all anyone enters is plain english text, that's no big deal. But is it possible to inject code in this manner and do malicious things to the database?

Currently, all such user input forms are for string data, so the INSERT/UPDATE statements always wrap it in quotes. I would think that would be enough to tell the server that it's all just plain text, and not to do anything else with it. But I guess making any assumption on the matter without asking experts would be unwise.

Is there a danger here that I should be aware of? What are the common, effective measures taken by others to prevent such an attack?


Regards,
David P. Donahue
ddonahue@ccs.neu.edu

Options: ReplyQuote


Subject
Views
Written By
Posted
Code Injection
6855
August 24, 2005 12:24PM
2763
August 25, 2005 11:10AM
2632
September 20, 2005 08:57AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.