- Are Open Source Projects insecure because they publish their table structure? These 1.5M results on GitHub suggest software engineers think otherwise.
- But what about SQL Injection? Are those attacks are easier knowing the database table structure. Not really, no. Finding out whether a server can be exploited using SQL Injection is done without knowledge of the database structure. In fact, injections like
' or '1'='1
exploit basic boolean expressions, not table structure. Once you know the server is exploitable, it’s easy to fetch the table structure assuming it’s not a Blind injection. - Is it easier to steal books from the library if they use the Dewey Decimal system? Is it easier to steal things from buildings with public record floor plans? Okay, enough analogies.
- I’d be curious if the case would be more likely to succeed if the request did not include stored procedures, which are closer to code rather than data.
- Regardless, government could transform the data into a non SQL format (or require the plaintiff to do so before publishing). Even simpler, the table structure could be obfuscated in some way.
Last active
August 29, 2015 14:10
-
-
Save zachleat/2f6b252fc30bca7cb753 to your computer and use it in GitHub Desktop.
Are database records a Hacker’s Handbook?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment