There are several ways to prevent these kind of attacks:
- use the principal of least privilege
- use bind variables
There are several more options available to the programmer, some of which can be found on the code project website:
- Encrypt sensitive data.
- Access the database using an account with the least privileges necessary.
- Install the database using an account with the least privileges necessary.
- Ensure that data is valid.
- Do a code review to check for the possibility of second-order attacks.
- Use parameterised queries.
- Use stored procedures.
- Re-validate data in stored procedures.
- Ensure that error messages give nothing away about the internal architecture of the application or the database.
The main message is, there were some unwanted videos in the youtube bar of my website, mainly because of some of these iFrame security vulnerabilities. Small alterations in the SQL query filtering can prevent a lot of these inconveniences.
Here is also a link to the Oracle site for a small explanation from Arap Nanda on this subject and the PHP Cookbook:
Adaptive Cursors and SQL Plan Management (Arap Nanda):
http://www.oracle.com/technetwork/articles/ullman-bindings-088836.html
Binding Variables in Oracle and PHP by Larry Ullman:
http://www.oracle.com/technetwork/articles/ullman-bindings-088836.html
0 reacties:
Post a Comment