[Previous entry: "The fastest Oracle password cracker in the world is released!!!"] [Next entry: "Oracle October CPU pre-release analysis"]
Extreme SQL Injection
October 10th, 2007 by Pete
Post to del.icio.us
Post to Furl
I saw today a link on Tom's blog to a cartoon that shows how SQL injection could transfer to the real world. The cartoon was pointed out to me before that by patrick. The cartoon shows how you could name your children with such a name like "Robert') drop table students--" so that when they were entered into the school computer an attack could occur. Its a joke but a serious message is included, any data that can end up being used in a SQL statement is a potential attack vector for SQL Injection. Patrick also told me that his colleague beat this cartoon by two years with a similar attack talked about in his post "How to break the National Identity Register". Obviously using names in the sense of naming your child like this is carzy to effect a SQL injection attack but the idea is not crazy, what would happen if you filled in a form with a pen that is then later read by some sort of reader into a computer - if you added an injectable payload then it could work.
