| | |  | Computer Security | Home » » SQL Injection Attacks and Defense | | | | | | | Product Promotions: | | | | | Description: | | Winner of the Best Book Bejtlich Read in 2009 award! "SQL injection is probably the number one problem for any server-side application, and this book is unequaled in its coverage." Richard Bejtlich, http://taosecurity.blogspot.com/ SQL injection represents one of the most dangerous and well-known, yet misunderstood, security vulnerabilities on the Internet, largely because there is no central repository of information to turn to for help. This is the only book devoted exclusively to this long-established but recently growing threat. It includes all the currently known information about these attacks and significant insight from its contributing team of SQL injection experts. What is SQL injection?-Understand what it is and how it worksFind, confirm, and automate SQL injection discoveryDiscover tips and tricks for finding SQL injection within the codeCreate exploits using SQL injectionDesign to avoid the dangers of these attacks | | | Product Details: | | | Author:
| Justin Clarke | | Paperback:
| 474 pages | | Publisher:
| Syngress | | Publication Date:
| May 15, 2009 | | Language:
| English | | ISBN:
| 1597494240 | | Package Length:
| 8.9 inches | | Package Width:
| 7.4 inches | | Package Height:
| 1.2 inches | | Package Weight:
| 2.1 pounds | | Average Customer Rating:
|  based on 12 reviews |
| | | | Customer Reviews: | |
Average Customer Review:
 ( 12 customer reviews )
Write an online review and share your thoughts with other customers.
Most Helpful Customer Reviews
12 of 12 found the following review helpful:
Finally, the "Bible" for SQL InjectionMay 27, 2009
By Mike
I'm giving "SQL Injection Attacks and Defenses" five stars for a few reasons.
First, the book is extremely comprehensive, covering everything from basic "What is SQL Injection?" information to advanced exploit development and static analysis tools (including open source tools).
Second, this book was obviously written very recently. The content is fresh and cutting-edge.
Finally, the book is advanced. Though the reader doesn't necessarily need to know much about SQL Injection in order to start reading it, the book covers as much as anyone would need to know about the subject.
SQL Injection Attacks and Defenses is a well written, comprehensive book that can be extremely useful to security professionals, developers, and database administrators interested in writing or maintaining secure code. It could easily be called the "bible" of SQL Injection.
6 of 6 found the following review helpful:
Another serious contender for Best Book Bejtlich Read 2009Oct 25, 2009
By Richard Bejtlich
"TaoSecurity"
I just finished reviewing The Web Application Hacker's Handbook, calling it a "Serious candidate for Best Book Bejtlich Read
2009." SQL Injection Attacks and Defense (SIAAD) is another serious contender for BBBR09. In fact, I recommend reading TWAHH first because it is a more comprehensive overview of Web application security. Next, read SIAAD as the definitive treatise on SQL injection. Syngress does not have a good track record when it comes to books with multiple authors -- SIAAD has ten! -- but SIAAD is clearly a winner.
SIAAD is very detailed, with code samples to demonstrate the author's attack patterns. They cover multiple programming languages, multiple databases, and flood the book with examples. It's clear the authors utilize these methods for their daily work. Just about every situation is addressed, like returning database query results using DNS, HTTP, database connections, and even email. I admit I laughed when reading that chapter 7 offered "advanced topics." I thought the first 6 chapters were advanced enough, given the depth of the material!
I had no real issues with this book, but it's important to realize you won't read about attacks against PostgreSQL, for example. Other reviewers noted this as well. However, the authors do concentrate on the methodology and offensive mindset needed to attack any SQL database. I believe dedicated readers could apply the lessons of SIAAD to products beyond MS-SQL, Oracle, and MySQL.
Great work -- this is the sort of "niche book" that should be referenced by anyone else who wants to cover Web-related attacks.
4 of 4 found the following review helpful:
Tour de Force Coverage of SQL Injection IssuesJul 24, 2009
By Data Guy
This is a book that I can heartily endorse. My bailiwick, and probably yours too if you are looking here, is data management and database administration. And if you function within that realm, you should be familiar with SQL injection attacks and how to defend them. Not surprisingly, given its title, that is just what this book provides.
SQL injection is quite dangerous, and yet is commonly misunderstood by many. This book, which is devoted exclusively to the SQL injection threat and how to defend against it, provides the knowledge and tactics you will need to understand and combat SQL injection attacks.
From the basics of vulnerability to discovery, exploitation, prevention, and mitigation measures, the book is a SQL injection tour de force. The book is up-to-date and covers unique, publicly unavailable information. One quick example of a a major benefit of this book: you can make the code level and platform level defenses offered in Chapters 8 and 9 can available to the developers and system administrators responsible for Internet development at your shop... which should minimize the risk of SQL injection attacks.
If you are a DBA, programmer, or system analyst involved in writing Internet applications using database systems, then you owe it to yourself to buy and read SQL Injection Attacks and Defense. It just may save your data!
3 of 3 found the following review helpful:
Credit where credit is dueApr 22, 2010
By Justin Clarke
Not sure whether this is the appropriate place to leave this comment (as I'm the technical editor/lead author on this book), but Amazon doesn't seem to have a good way for the author to comment.
This book was a combined effort of 10 folks who put a large amount of effort into the overall project. Unfortunately because of the way Syngress has listed the book (with only my name on the front as the lead author) those folks don't get the credit they deserve. This is the list of guys without whom the book would not have been anywhere near as good:
- Rodrigo Marcos Alvarez
- Dave Hartley
- Joseph Hemler
- Alexander Kornbrust
- Haroon Meer
- Gary O'Leary-Steele
- Alberto Revelli
- Marco Slaviero
- Dafydd Stuttard
2 of 2 found the following review helpful:
Good Enough to be DangerousMar 25, 2010
By Hugh K. Boyd
It really surprises me that SQL injection is still such a ubiquitous attack vector given that it is really fairly simple to prevent. I believe that the reason for this is that many software developers just don't understand how these attacks are orchestrated by hackers in the wild, so they often tend to resort simplistic "security through obscurity" solutions such not displaying error messages, restricting the number of rows returned for queries, and so forth. With this in mind, what really makes this book shine is its deep dive into some of the more arcane techniques used in blind SQL injection, second order SQL injection, and blended attacks, such as piggybacking SQL injection onto other attack vectors such as cross site scripting. It goes well beyond the simple injection tactics that are given only cursory coverage in many other security texts and lays it all out there for developers, engineers, and anybody else who wants to really get their hands around how these attacks work, and more importantly, how to prevent them.
I use this book quite often as an authoritative reference for security awareness presentations to application development teams because it provides some of the most comprehensive coverage of the topic that I have seen. That said, if I am critical of anything in this book, it is that the author, in my opinion, finesses a bit on his treatment of prepared statements and stored procedures as mitigation strategies against SQL injection attacks. Both prepared statements (parameterized queries if you prefer) and stored procedures can be highly effective contermeasures to combat SQL injection exploits; however, if these techniques are naively implemented (as they frequently are), they can be readily subverted by a skilled attacker. A bit more detail devoted to the correct use patterns for these countermeasures would be a worthwhile addition.
Nevertheless, I still rate this a five star read because of its depth, overall accuracy, its coverage of automated SQL injection tools, and its excellent coverage of attacks against the most commonly used database products, such as Oracle, MS SQL Server, and MySQL.
See all 12 customer reviews on Amazon.com
| | |
|
