Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

MySQL Security

 
leo donahue
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I downloaded MySQL 4.0.12 for windows. I thought I'd start to look into other databases than MS Access for my personal jdbc studies.
What's this I find about security? You can send commands to the database via a web form! Is this normal? I tried issuing commands via string fields in my client applications to a MS Access database, and I either didn't get them right or I can't execute a command string this way.
Example from MySQL docs:

Do not trust any data entered by your users. They can try to trick your code by entering special or escaped character sequences in web forms, URLs, or whatever application you have built. Be sure that your application remains secure if a user enters something like ``; DROP DATABASE mysql;''.
also:
Try to enter `'' and `"' in all your web forms. If you get any kind of MySQL error, investigate the problem right away.

I'm not sure I need to understand how this works, but I'd like to, but it looks like when you enter queries into MySQL from the command line, if you enter a ; you have finished your command. Why would the above code example work from a web form when you add the two single quotes ('') after the semicolon?
Being new to JDBC, this is stuff I would have never thought about using Access, except for storing names with apostrophies.
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think what they are saying is, a lot of people build web forms that take input from the user that is entered into the database. So what usually happens is the developer will simply take what was entered in the form and append it to an SQL Statement. For example if I had a web form where I entered a users first and last name I would have something like
INSERT INTO table beanVar1, beanVar2;
Where beanVar1 and 2 are the values from my web form. If a user were to type in something like ;DROP DATABASE mysql;'' into the firstname or lastname text fields in the web form, SQL would throw an error on the first part of the statement but then go ahead and execute the second part because with ; it thinks it is a new statement.
I am not 100% sure on this, but it makes sense to me that this would be the security problem.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic