[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unix and email viruses

On Sun, Mar 02, 2008 at 05:01:06PM -0800, Andrew Sackville-West wrote:
> 
> sql injections are 'data' trying to be executable, aren't they? I know
> that generally folks aren't trying to "open" sql "attachements"
> (whatever the hell that might mean) from mutt...

"SQL injections" are completely different and not related to mail.
If you run a database backend on your web server driven by, say, PHP,
then an attacker can use an SQL injection to "break" into your database
and grab any data they feel like. An SQL injection is just a crafted SQL
query along the lines of:

	"SELECT foo, bar, FROM table (
	WHERE login_id = 'xxxxx' AND passwd = 'cxcv' OR 1=1);"
                                                     =======
Since 1 always equals 1 ...

The 50x errors from the server are critical in determining the method of
crafting the SQL query.

An SQL injection will not work if you parse the input correctly.

-- 
Chris.
======
Reply to: