Monday, May 25, 2015

Security Risk of Injection

Injection happens any time a developers takes untrusted information, such as request.getParameter(), request.getCookie(), or request.getHeader(), and uses it in a command interface. For example, SQL injection happens if you concatenate untrusted data into a regular SQL query, like 

SELECT * FROM users WHERE username=‘“ + request.getParameter(“user”) + “‘ AND password=‘“ + request.getParameter(“pass”) = “‘“;

Developers should use PreparedStatement to keep attackers from changing the meaning of queries and taking over database hosts. 

There are many other types of injection such as Command Injection, LDAP Injection, and Expression Language (EL) Injection, and all of them are devastatingly dangerous, so be careful when sending data to these interpreters.

Popular Posts