SQL Injection

Presented at DEF CON 10 (2002), Aug. 3, 2002, 1 p.m. (50 minutes).

SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping potentially harmful characters first. Despite being remarkably simple to protect against, there is an astonishing number of production systems connected to the Internet that are vulnerable to this type of attack. The objective of this talk is to educate the professional security community on the techniques that can be used to take advantage of a web application that is vulnerable to SQL injection, and to make clear the correct mechanisms that should be put in place to protect against SQL injection and input validation problems in general.


Presenters:

  • Kevin Spett - SPIDynamics
    Kevin Spett is a web application security expert and researcher. His discovery new SQL injection attack techniques and frequent security mailing list postings have made him among the most respected web application security professionals in the world. Kevin's responsibilities include maintaining the SPI Dynamics SecureBase and researching web application security concepts and software. He has been a SPI Dynamics employee since its inception.

Links:

Similar Presentations: