NYCPHP Meetup

NYPHP.org

[nycphp-talk] Not-so-subtle attack on PHP

Kenneth Downs ken at secdat.com
Fri Sep 28 08:03:21 EDT 2007


bz-gmort at beezifies.com wrote:
> Kenneth Downs wrote:
>> 1) SQL Injection does not let them do anything they can't do anyway, 
>> so at most it is a waste of the hacker's time
>
> Many things are a waste of the cracker's time, but they do them 
> anyway.  So counting on the result not being worth the time of cracker 
> is wishful thinking. :-)

The focus is on "...does not let them do anything they can't do 
anyway...."   If the hacker wants to test the SQL injection abilities, 
let them.  Let them have fun.  Let them learn.  The real question is, 
can they do harm?  And the answer is NO, not if they are connected to 
the database with an account that has limited security abilities.

>
>> 2) Our user interface design focuses on the idea that they should see 
>> everything they can do, and everything they can see they can do.  
>> Again, SQL Injection only gives them a really crude way to do 
>> something that's probably on the menu!
>
> Hmm, I think in terms of online stores and credits.  Sure, the person 
> can purchase a credit and have the data in their user record updated, 
> but it is so much cheaper to do an "update usertable set credits=10000 
> where uid = 'me')

See Rusty's comment and my reply on row-level and column-level security.


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010




More information about the talk mailing list