Hacking Myself!
So as I mentioned yesterday I have a group current event presentation in my Database Management class. My group is going to be reporting on several articles about sql injections that have been published in the last few months. My part in this project will be to explain what a SQL injection is. I thought it would be more interesting if we could show the class an actual SQL injection attack, so today I took some time of writing a very simple and very insecure login script in PHP.
It's actually quite surprising how easy a SQL injection attack can be. If I ever get back into PHP it's definitely something that I'll need to learn more about. I would hate to write something just to have it get compromised by some no good script kiddie.
On that note I did find it interesting that the SQL string I was injecting that allowed me to bypass my simple login script, " ' OR '1=1 ", stopped working all of a sudden. Luckily I was able to find another string that worked. Hopefully it still works tomorrow in our presentation! I wonder if my web-host has some kind of security measures implemented that detected my simple SQL injection attack? For the life of me I can't figure out why else that string stopped working.
October 20th, 2010 - 03:38
Hrm it doesn’t appear PingBacks work from Blogger, I’ve posted a response here http://www.notribalknowledge.com/2010/10/thoughts-on-sql-injection-attacks.html
October 20th, 2010 - 03:59
It should be enabled by default, but I’ll have to check the backend. I haven’t had much time to play around with it yet.
October 21st, 2010 - 04:09
dude – it is called “jacking myself.”
October 23rd, 2010 - 13:51
Hey there, just stumbled upon your blog through Google, and found it to be really informative. I’m gonna keep an eye on this one. Cheers!