Many people say they know what SQL injection is, but all they have heard about or experienced are trivial examples. SQL injection is one of the most devastating vulnerabilities to impact a business, as it can lead to exposure of all of the sensitive information stored in an application’s database, including handy information such as usernames, passwords, names, addresses, phone numbers, and credit card details. | SYNGRESS SQL Injection Attacks and Defense JUSTIH CLARKE SQL Injection Attacks and Defense Justin Clarke Lead Author and Technical Editor Rodrigo Marcos Alvarez Dave Hartley Joseph Hemler Alexander Kornbrust Haroon Meer Gary O Leary-Steele Alberto Revelli Marco Slaviero Dafydd Stuttard Elsevier Inc. the author s and any person or firm involved in the writing editing or production collectively Makers of this book the Work do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind expressed or implied regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY You may have other legal rights which vary from state to state. In no event will Makers be liable to you for damages including any loss of profits lost savings or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages the above limitation may not apply to you. You should always use reasonable care including backup and other appropriate precautions when working with computers networks data and files. Syngress Media Syngress Career Advancement Through Skill Enhancement Ask the Author UPDATE and Hack Proofing are registered trademarks of Elsevier Inc. Syngress The Definition of a Serious Security Library Mission Critical and The Only Way to Stop a Hacker is to Think Like One are trademarks of Elsevier Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. PUBLISHED BY Syngress Publishing Inc. Elsevier Inc. 30 Corporate Drive Burlington MA 01803 SQL Injection Attacks and Defense Copyright 2009 by Elsevier Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976 no part of this publication may be reproduced or distributed in any form or by any means or stored in a database or retrieval .