Renault with a banner across its bumper reading "ZU 0666', 0, 0); DROP DATABASE TABLE LICENCE;"Click the photo to see it at full size.

“Flintstones/Jetsons” is a term that Mark Mothersbaugh from Devo uses to describe technology solutions that are a combination of low- and high-tech. It’s probably an apt term for what the driver of the Renault in the photo above is doing to foil licence plate cameras. If the “Jetsons” part – the SQL injection attack comprising the text on the banner on the bumper – doesn’t work, the “Flintstones” approach of physically covering up the licence plate will.

SQL Injection-a-Rama

No quick tour of SQL injection is complete without mentioning this classic XKCD comic, Exploits of a Mom. If you’ve ever heard someone use the phrase “Little Bobby Tables” when talking about databases and security, here’s where it comes from:

The classic "Little Bobby Tables" XKCD comic.

"SQL" with a syringe sticking through it

Want a good introduction to SQL injection attacks? Start with SQL Injection Attacks by Example at Steve Friedl’s Tech Tips. It walks you through the steps of an SQL injection attack, where a cracker (note that I said “cracker” – there are hackers and crackers, and there’s a difference) uses a combination of deductive reasoning and unexpected, unsanitized input to get unintended results from the database.

Also worth checking out:

Here’s an enjoyable presentation by Joe McCray on Advanced SQL Injection, which he gave at the 2009 LayerOne conference. He likes to drop the “f-bomb” and “s-bomb” every now and again while presenting, but if you don’t mind a little salty language, it’s a good security talk:

(You can download the slides from Joe’s presentation in PDF format here.)

This article also appears in Canadian Developer Connection.