Block SQL Injection

Cliff Wells cliff at
Thu Apr 21 07:59:05 MSD 2011

On Thu, 2011-04-21 at 10:40 +0700, Edho P Arief wrote:
> On Thu, Apr 21, 2011 at 8:36 AM, Cliff Wells <cliff at> wrote:
> > Easy. What data does your database store? Quite probably usernames and
> > passwords. A fundamental truth is that people often use the same
> > passwords for multiple services. If you can obtain the password for a
> > company's CMS or Webmail application, chances are you now have their
> > password for multiple services.
> >
> There is a good reason why bcrypt is recommended as password hashing method.

Yes, adaptive hashes are a huge improvement over the raw MD5/SHA hashes
so many people still use.  Still, it's best if no one gains access to
even try.  

Also, for certain application domains, even if you don't crack the
passwords, just gaining access via SQL injection can lead to immediate
system compromise (hosting control panels, system monitoring tools,


More information about the nginx mailing list