Announcement

Collapse
No announcement yet.

Store SQL injection attacks in a database safely

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Store SQL injection attacks in a database safely

    I am aware this is an unusual question, but I'm wondering if it's possible to store data containing SQL injection attacks in a database without altering the data to remove the offensive parts?

    Why? I am hoping to write data from my ModSecurity log file into a SQLite database, and then use that database to quickly select transactions that match a set of criteria (e.g. a specific URI, specific IP address etc.).

    I really don't know anything about databases or sql injection yet, I'm just looking to find out if it's possible to do this before I spend hours writing/researching something that was doomed to failure from the start!

    Thanks
    samhobbs.co.uk

    #2
    Personally I have no idea, but I took a guess that such a question might have already been asked over at StackOverflow, and sure enough it had. Hope it has some useful ideas for you!

    http://stackoverflow.com/questions/5...-in-a-database
    sigpic
    "Let us think the unthinkable, let us do the undoable, let us prepare to grapple with the ineffable itself, and see if we may not eff it after all."
    -- Douglas Adams

    Comment


      #3
      Thank you for that! I don't know why my searches didn't turn it up. Now for some research...
      samhobbs.co.uk

      Comment


        #4
        When you present a form which allows the user to enter something, say a name, into a textbox and then use the contents of that box to search a database you could end up with something like this for an SQL command:
        select name, address, city, state, id, passwd from addresstable where name == $textbox
        (I'm leaving a lot out of this, like binding textbox to the name field, etc...)
        If $textbox contain "Jerry" then all the rows where that condition is true will be displayed. However, if $textbox contained something like "'jerry' OR 1=1" then since "1=1" is always true every row in the database will be displayed. Regular expressions applied to the contents of the textbox, in terms of what the name field should contain, will eliminate undesirable characters and prevent displaying more rows than one.
        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
        – John F. Kennedy, February 26, 1962.

        Comment


          #5
          Yeah, old thread, I know. But relevant:

          Comment


            #6
            Lol!
            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
            – John F. Kennedy, February 26, 1962.

            Comment


              #7
              I love that one. Comes up every single time there's some SQL-injection attack related news.

              Did you guys see this hand-written SQL injection attack on a ballot paper in Sweden? I can't remember if I read about it here or somewhere else, but here's the link in any case:

              http://alicebobandmallory.com/articl...rate-to-sweden
              samhobbs.co.uk

              Comment


                #8
                What a great story! I just sent it to our chatter email list at work.

                Comment


                  #9
                  Imagine if it had worked...
                  samhobbs.co.uk

                  Comment

                  Working...
                  X