Databases Reference
In-Depth Information
Figure 5.8
Messages on the
message board.
The application functionality may be as simple as inserting this message
to a MESSAGE table and allowing all members of the message board to
review messages posted to the board, as shown in Figure 5.8 (blurred to
protect the innocent).
Building a message board is simple, but if you do not think of security
(or the way hackers may try to compromise your application), then you can
easily decide to implement the message board functionality by having a
table in the database called MESSAGES, have the message board listing do
a SELECT on this table, and have the posting function do an INSERT into
this table. For simplicity, assume that the columns in the MESSAGES table
are called SUBJECT, AUTHOR, TEXT, and TIMESTAMP and that the
timestamp is auto-generated. In this case the application code for posting a
message may simply do the following:
INSERT into MESSAGES(SUBJECT, AUTHOR, TEXT) values (<whatever
you type in the subject field>, <your login name in the
application>, <whatever you type in the message text area>)
This simple function is vulnerable to a simple injection attack using an
insert select command. If I type in the following into the appropriate fields
Search WWH ::
Custom Search