Verteidigung gegen SQL-Injection-Angriffe - ETH Zürich

AbstractSQL injections are a form of attack against database-based applications. Successful attacks might allow theattacker to log into otherwise restricted web applications by “successful authentication”, to disclose privateinformation stored in a database, or to modify one or more database tables.In this report we explain in detail what SQL injections are, what kinds of attacks can be mounted with them,and how to defend against them.In addition to this report, we have developed a demo application. It is available in two versions: An insecureversion, where the attacks described in the report are successful and defensive measures nonexistant, and animproved version where the attacks fail.This demo application allows you to reproduce the described attacks and to understand the counteractivemeasures, but it can also be used for education purposes.