[wp-hackers] Wordpress database encryption.

Dion Hulse (dd32) wordpress at dd32.id.au
Sun Nov 27 06:09:07 UTC 2011

On 27 November 2011 17:02, Mike Schinkel <mikeschinkel at newclarity.net> wrote:
> On Nov 27, 2011, at 12:37 AM, jackie sparks wrote:
>> Miscoded and rouge plugins, I'm talking about plugins that allow SQL injections. Not plugins that actually look like they have bad intent.
> I'm confused. Isn't SQL injection mostly destructive, and not for accessing information? Doesn't matter if a table's data is encrypted dropping a table still drops a table.
> Of course I don't consider myself a security expert so maybe I'm wrong about this and it is reasonable to use SQL injection to access data?

SQL Injection can be used for anything; Adding users, Deleting users,
Droping tables, and in many cases, Has also been used to alter the
SELECT query to display different data than expected, For example, if
you could SQL inject the primary WP_Query SQL, you could make the
posts list display usernames/emails/hashed passwords instead of posts.
In many cases, the SQL Injections in plugins can't be used to show
data, only alter the data going into the database, which only allows
DROP/INSERT/UPDATE attacks to be usable by that attack vector.

More information about the wp-hackers mailing list