Automated SQL injection

Via Lockergnome Bytes:

Automated SQL injection: What your enterprise needs to know: “SQL injection exploits may soon be as common as those targeting Windows and Unix flaws, experts say. An estimated 60% of Web applications that use dynamic content are likely vulnerable, with devastating consequences for an enterprise. A presentation of an automated attack targeting SQL injection flaws is planned for Black Hat Briefings this week in Las Vegas. This two-part interview with SPI Dynamics CTO Caleb Sima will tell you what you should fear, why and…”

This is why PHP-Nuke should be avoided. It doesn’t attempt to be secure, with user-provided values passed directly to SQL queries without any error checking or quoting. Drupal, on the other hand, never passes any user-provided values directly to any query.

One response to “Automated SQL injection

  1. The interesting thing about that comment, is that PHP-Nuke is primarily run off of MySQL. MySQL doesn't support the system table manipulations required for the automated attack techniques discussed at blackhat. I'm not trying to imply that make php-nuke safe at all, just a pain to automate the attack against 🙂