Education: Injection, PHP, and MySQL

Inspired by Jack Daniel’s “Shoulders of InfoSec Project”, this post will be focused on the people and technologies behind one of the most prevalent attacks on web sites: SQL injection.

According to OWASP, injection is the number one attack vector for web applications. Injection attacks can target many different contexts in a web application: HTML, PHP, ASP, Javascript, SQL, etc. Any context in which an interpreter parses input to execute instructions is potentially vulnerable to an injection attack. There are several – many, rather – excellent tutorials on Injection attacks available on the web. Here’s a brief selection of SQL injection attacks for reference:

I will describe the background of the technologies that came together to make SQL Injection attacks so prevalent on the web, since I believe Context is important. I will focus primarily on PHP and its connectivity to MySQL as a database back-end due to the ubiquity with which this technology stack drives the current web.

Continue reading Education: Injection, PHP, and MySQL