O'Reilly logo

SQL Injection Defenses by Martin Nystrom

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

How Applications Work

This section describes how web applications and SQL queries work together to provide access to data via the web.

How Web Applications Work

Applications hosted on the web are typically an assembly of an Internet-facing web server, an application server, and a database server (see Figure 1). Web applications are most commonly built with PHP, Perl, .NET (Visual Basic, C#, or some Microsoft variant), or Java.

Typical web application architecture.

Figure 1. Typical web application architecture.

From the web browser, all data needed for processing by the application is encoded in HTTP and sent to the web server, which parses the input and sends the relevant data to the application. This plain-text input makes it easy to "fuzz" an application and send erroneous or malicious input to the application to elicit responses for which the programmer didn't test. The plain-text encoding also allows anyone to easily intercept his own legitimate traffic to the web server in order to further understand the input and output and enabling him to craft his attack (see Figure 2).

Nearly every web application interacts with a database. The database is often used for storing reference information (such as product information), and information from the application user is often used as part of the queries to draw out specific information. For example, if a user were to log into a web application and begin searching for products ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required