Results 1 to 2 of 2

Thread: Security

  1. #1
    Join Date
    Dec 2003

    Unanswered: Security

    I was wondering...

    If someone found out what tables you had in your DB, and the all the column names for each table, could they do any damage to your DB with that information alone, or would they have to have more than that? Or could they use that info as a starting point in trying to hack you DB.

  2. #2
    Join Date
    Jan 2003
    London, England
    I'm no security expert but I have picked up a thing or two over the few years I have been a webdeveloper. I don't think you should worry too much about the object-names you have in your database. If a hacker decides to hack your db I'm quite confident that he knows how to do a select on the master-db and find exactly what he needs.

    Instead you need to be carefull about the security of the server itself and how it gets accessed and the way you program your application that communicates with it. You can have the best firewall in the world and make it completely unhackable from the outside, but if you don't program the app properly you're basically in trouble anyhow. No matter what sort of application and what language you use you always need to validate your userinput for malicious characters, where it comes from and the lengt of the input. Let me show a brief example of a very common login-sequence(in vb-script):
    Username = TRIM(Request.Form("Username"))
    Password = TRIM(Request.Form("Password"))
    SQL = "SELECT * FROM users WHERE Username = '" & Username & "' AND Password = '" & Password & "'"
    Usually this works just fine, but if a hacker decides to test your app imagine what would happen if he entered something like this:

    Username: john' OR 0 = 0;DELETE users;--
    Password: something

    If somebody does this to your website you would have an empty user-database and you would not even be close to understanding what happened in a GOOD while. My thaught is that application security is just as important or even more important than firewalls and all that and it is quite often beeing neglected...
    "Real programmers don't document, if it was hard to write it should be hard to understand!"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts