I just finished reviewing The Web Application Hacker's Handbook, calling it a "Serious candidate for Best Book Bejtlich Read

2009." SQL Injection Attacks and Defense (SIAAD) is another serious contender for BBBR09. In fact, I recommend reading TWAHH first because it is a more comprehensive overview of Web application security. Next, read SIAAD as the definitive treatise on SQL injection. Syngress does not have a good track record when it comes to books with multiple authors -- SIAAD has ten! -- but SIAAD is clearly a winner.



SIAAD is very detailed, with code samples to demonstrate the author's attack patterns. They cover multiple programming languages, multiple databases, and flood the book with examples. It's clear the authors utilize these methods for their daily work. Just about every situation is addressed, like returning database query results using DNS, HTTP, database connections, and even email. I admit I laughed when reading that chapter 7 offered "advanced topics." I thought the first 6 chapters were advanced enough, given the depth of the material!



I had no real issues with this book, but it's important to realize you won't read about attacks against PostgreSQL, for example. Other reviewers noted this as well. However, the authors do concentrate on the methodology and offensive mindset needed to attack any SQL database. I believe dedicated readers could apply the lessons of SIAAD to products beyond MS-SQL, Oracle, and MySQL.



Great work -- this is the sort of "niche book" that should be referenced by anyone else who wants to cover Web-related attacks.

Скачать книгу бесплатно (pdf, 3.34 Mb)

---

Читать «SQL Injection Attacks and Defense»