From PHP London wiki

[edit] O’Reilly “SQL Injection Defenses” by Martin Nystrom

Martin Nystrom brings us his insight into why hackers attempt to get into our databases and what we should do to keep them out. This O’Reilly “Short Cut” is certainly not the definitive volume on defending your applications, and isn’t designed to be, but will give you the understanding required to go further into making your systems secure.

The narrative is split into 3 main sections –

- A basic overview of the technologies involved, and why someone would want to exploit your systems

- What the attacks look like and how they’re performed

- A number of methods showing how you can defend your systems against attack

The author expects his reader to have some understanding of the programming languages used in the article, namely Perl, PHP, VB.Net and Java. From there he takes us through a variety of examples, showing how bad code allows the hacker in, and the tools within the various languages that help us keep them out.

He also emphasises the other non-coding methods we can use to stop or at least detect attacks, such as Cisco’s AVS system. According to his own narrative, these are difficult and time consuming to set up, but worth it for specific high-profile applications.

One of the interesting comments made is that the ‘Information Security’ magazine systems were broken into. It leaves you asking what’s the point if they can’t defend themselves? Of course, almost every system is vulnerable in some way, but our task is to reduce that risk down as much as feasibly possible, and Martin does help us achieve that.

An area the book particularly highlights is PHP vulnerabilities, showing that it’s ease design and speed of deployment is also it’s Achilles Heal. However, there are also ‘built in’ ways that even PHP can defend itself against the most hardened attacker.

The text is interlaced with screen shots of various applications at work, but in some ways, this is it’s down side. After reading the book through a few times, I felt I’d been educated and would be able to take what I’d learnt into a real situation. What Martin could have done is drop some of the images not relevant to the subject matter and some of the repetitive description, and replaced it with some more ‘Meat on the bones’.

As the book is delivered in a PDF version it makes it worth having around as a reminder of what can happen if you don’t educate your developers in the right techniques. Some of the examples shown will certainly shock the novice programmer, showing just how easily your data can be compromised.

More information can be found on the O'Reilly site at http://www.oreilly.com/catalog/9780596529642/index.html

Written by Robert Atkinson