Block SQL Injection
Cliff Wells
cliff at develix.com
Thu Apr 21 07:59:05 MSD 2011
On Thu, 2011-04-21 at 10:40 +0700, Edho P Arief wrote:
> On Thu, Apr 21, 2011 at 8:36 AM, Cliff Wells <cliff at develix.com> wrote:
> > Easy. What data does your database store? Quite probably usernames and
> > passwords. A fundamental truth is that people often use the same
> > passwords for multiple services. If you can obtain the password for a
> > company's CMS or Webmail application, chances are you now have their
> > password for multiple services.
> >
>
> There is a good reason why bcrypt is recommended as password hashing method.
Yes, adaptive hashes are a huge improvement over the raw MD5/SHA hashes
so many people still use. Still, it's best if no one gains access to
even try.
Also, for certain application domains, even if you don't crack the
passwords, just gaining access via SQL injection can lead to immediate
system compromise (hosting control panels, system monitoring tools,
etc).
Regards,
Cliff
More information about the nginx
mailing list