Questions about this topic? Sign up to ask in the talk tab.
SQL injection/Cause
From NetSec
Revision as of 02:33, 19 July 2012 by LashawnSeccombe (Talk | contribs)
- SQL injection > Cause
- Now is a good time for orientation with SQL servers and queries with the SQL primer, otherwise this text may prove be confusing.
SQL Injection occurs when input from a user is directly passed to a SQL query by an application. In the context of web applications, user input comes from HTTP input.
- Un-sanitized user input - The developer made no effort to stop an injection attack
- Improper type handling - An integer sanitized or otherwise treated as a string, or vice versa
- Lack of output filtering - Output from a query that had user input passed to it is used as input in later queries when rendering the page
- Cookies and other "hidden" forms of communication in the HTTP request header are also processed as user input and can be considered attack vectors as well.