quote:

---

Madrid, March 10 2003 - In order to facilitate data management, much website
content is now stored in databases. Today's Oxygen3 24h-365d will look at
some flaws in web page design that could allow attackers to foil security
and access confidential information in these databases.

Structured Query Language (SQL) is the most widely used language to interact
with relational databases. One of the most common operations is the
execution of a query in SQL to filter information in the database and return
the requested data. For example, if the following SQL command is executed:

select name, surname from personal where name = 'Bob'

The "name" and "surname" fields from the personal table will be returned
where the "name" field matches 'Bob'.

When designing dynamic web pages it is normal for users to be asked, through
set forms, for search strings to carry out SQL queries. For this reason, a
web form could ask for a user name and password to verify if user data
coincides with that stored in the database, and depending on the result,
allow access to restricted areas.

The problem arises when the form allows the user to enter special
characters, which means that a specially crafted string could be entered
which could modify the SQL query, to the point that access controls could be
skipped and an attacker could access information stored in the database. For
example, one of the most commonly used characters in SQL injection attacks
is the inverted coma (').

The solution to this situation lies in ensuring that the data entered in the
form is rigorously filtered, preventing the use of characters that could
modify SQL queries.

---