The Database Hacker's Handbook: Defending Database Servers and over one million other books are available for Amazon Kindle. Learn more
  • List Price: $50.00
  • Save: $13.37 (27%)
Only 9 left in stock (more on the way).
Ships from and sold by
Gift-wrap available.
The Database Hacker's Han... has been added to your Cart
Condition: Used: Good
Comment: Book is in GOOD condition. No Notation or Highlights. Covers and corners show shelf wear. Eligible for 2-day Shipping with Amazon Prime or FREE standard shipping with orders over $35.00. Tracking number provided in your Amazon account with every order.
Access codes and supplements are not guaranteed with used items.
Sell yours for a Gift Card
We'll buy it for $3.67
Learn More
Trade in now
Have one to sell? Sell on Amazon
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

The Database Hacker's Handbook: Defending Database Servers Paperback – July 14, 2005

9 customer reviews
ISBN-13: 978-0764578014 ISBN-10: 0764578014 Edition: 1st

Buy New
Price: $36.63
31 New from $12.59 25 Used from $12.45
Amazon Price New from Used from
"Please retry"
"Please retry"
$12.59 $12.45
Free Two-Day Shipping for College Students with Amazon Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student

InterDesign Brand Store Awareness Rent Textbooks
$36.63 FREE Shipping. Only 9 left in stock (more on the way). Ships from and sold by Gift-wrap available.

Frequently Bought Together

The Database Hacker's Handbook: Defending Database Servers + The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
Price for both: $65.85

Buy the selected items together

Editorial Reviews

From the Back Cover

Databases are the nerve center of our economy. Every piece of your personal information is stored there—medical records, bank accounts, employment history, pensions, car registrations, even your children's grades and what groceries you buy. Database attacks are potentially crippling—and relentless.

In this essential follow-up to The Shellcoder's Handbook, four of the world's top security experts teach you to break into and defend the seven most popular database servers. You'll learn how to identify vulnerabilities, how attacks are carried out, and how to stop the carnage. The bad guys already know all this. You need to know it too.

  • Identify and plug the new holes in Oracle and Microsoft® SQL Server
  • Learn the best defenses for IBM's DB2®, PostgreSQL, Sybase ASE, and MySQL® servers
  • Discover how buffer overflow exploitation, privilege escalation through SQL, stored procedure or trigger abuse, and SQL injection enable hacker access
  • Recognize vulnerabilities peculiar to each database
  • Find out what the attackers already know

Go to for code samples, security alerts , and programs available for download.

About the Author

David Litchfield specializes in searching for new threats to database systems and web applications and holds the unofficial world record for finding major security flaws. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of The Shellcoder’s Handbook, SQL Server Security, and Special Ops. In his spare time he is the Managing Director of Next Generation Security Software Ltd.

Chris Anley is a co-author of The Shellcoder’s Handbook, a best-selling book about security vulnerability research. He has published whitepapers and security advisories on a number of database systems, including SQL Server, Sybase, MySQL, DB2, and Oracle.

John Heasman is a principal security consultant at NGS Software. He is a prolific security researcher and has published many security advisories relating to high-profile products such as Microsoft Windows, Real Player, Apple Quick-Time, and PostgreSQL.

Bill Grindlay is a senior security consultant and software engineer at NGS Software. He has worked on both the generalized vulnerability scanner Typhon III and the NGSSQuirreL family of database security scanners. He is a co-author of the database administrator’s guide, SQL Server Security.

Next Generation Security Software Ltd is a UK-based company that develops a suite of database server vulnerability assessment tools, the NGSSQuirreL family. Founded in 2001, NGS Software’s consulting arm is the largest dedicated security team in Europe. All four authors of this book work for NGS Software.


Shop the new
New! Introducing the, a hub for Software Developers and Architects, Networking Administrators, TPMs, and other technology professionals to find highly-rated and highly-relevant career resources. Shop books on programming and big data, or read this week's blog posts by authors and thought-leaders in the tech industry. > Shop now

Product Details

  • Paperback: 532 pages
  • Publisher: Wiley; 1 edition (July 14, 2005)
  • Language: English
  • ISBN-10: 0764578014
  • ISBN-13: 978-0764578014
  • Product Dimensions: 7.4 x 1 x 9.2 inches
  • Shipping Weight: 1.7 pounds (View shipping rates and policies)
  • Average Customer Review: 4.7 out of 5 stars  See all reviews (9 customer reviews)
  • Amazon Best Sellers Rank: #856,702 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

22 of 23 people found the following review helpful By John Matlock on July 14, 2005
Format: Paperback
Here is a book in which you will probably only be interested in 1/7 of the pages. That means that instead of reading 528 pages you only need to read about 70. But, you may really, really need that 70 pages. The reason for this is that the book covers seven of the most common databases: IBM DB2, Oracle, MySQL, PostGreSQL, SQL Server, SyBase, Informix. These programs are so different that what applies to one does not generally apply to the others.

Each section of the book covers one of the databases. It usually begins with some history of both the database and attacks on it. For instance the Slammer worm compromised more than 75,000 SQL Server databases within ten minutes of its release in January 2003.

After that there is a discussion on the database, its architecture, how it handles things like authentication and so on.

Finally it goes into how to defend the database against attack. This includes information on how to remove unncecessary features and services that might serve as gateways to attacks, and talks about how to use the databases own internal security systems to their maximum effectiveness.

As I said, you really need the 70 or so pages that refer to your own database.

PS - What's the most secure database - PostGreSQL, and it goes into why.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
6 of 6 people found the following review helpful By sixmonkeyjungle on November 20, 2005
Format: Paperback
David Litchfield is arguably the foremost expert and evangelist when it comes to database security. He, and his team of compatriots from Next Generation Security Software, have written a book that any database or security administrator should be familiar with.

Even if some of the attacks or exploits described in the book were previously obscure or unknown, the fact that they have been outlined in this book means that administrators need to know about them and defend against them before the "bad guys" read this book and take advantage of them.

One of the best aspects of this book is the way it is organized. Splitting the book into sections devoted to specific database systems makes it exceptionally simple and convenient to use. If you only use MySQL, you can skip all of the information regarding Oracle or Microsoft SQL Server, and just focus on the section of the book that applies to you.

Within each section, the authors provide a tremendous wealth of knowledge. Aside from describing weaknesses, potential exploits and protective measures to defend against them, they also look at the general architecture and the methods of authentication used by the database.

Any database admin should have a copy of this on their desk.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
8 of 9 people found the following review helpful By Tatjana Injac on July 24, 2005
Format: Paperback Verified Purchase
This review is only for the Oracle parts of the book.

The most interesting chapter is "Attacking Oracle". These guys give phrase "thinking outside of the box" the real meaning. They look for a feature or bug open to the security attack, then they shake it til it breaks. You will see exploits of AUTHID, PL/SQL injections, app. server, dbms_sql.parse bug,... most of them relevant to 9i and 10g versions.

The hacks are mainly in the sections called "Real-World Examples". Most of the exploits are already patched by Oracle and they are also available on hacking forums, but there were some new ones that were quite a revelation.

The security recommendations in the "Securing Oracle" chapter were too general, you can probably find Internet white papers on hardening Oracle that give more details. But, this book is not really about hardening Oracle, even if it says "Defending Database Servers" with small, blue letters on the front cover. This book is about attacking database servers.

I have seen David Litchfield's previous work and I am sure he knows (and has tried) more than what is written here. Can we expect to see that in "The Hacker's Handbook" part II?
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
10 of 12 people found the following review helpful By Richard Bejtlich on May 5, 2006
Format: Paperback
The Database Hacker's Handbook (TDHH) is unique for two reasons. First, it is written by experts who spend their lives breaking database systems. Their depth of knowledge is unparalleled. Second, TDHH addresses security for Oracle, IBM DB2, IBM Informix, Sybase ASE, MySQL, Microsoft SQL Server, and PostgreSQL. No other database security book discusses as many products. For this reason, TDHH merits four stars. If a second edition of the book addresses some of my later suggestions, five stars should be easy to achieve.

The first issue I would like to see addressed in a second edition of TDHH is the removal of the 60 pages of C code scattered throughout the book. The code is already provided on the publisher's Web site, and its appearance in a 500 page book adds little. The three pages of characters (that's the best way to describe it) on pages 313-315 in Ch 19 are really beyond what any person should be expected to type.

The second issue involves general presentation. Many chapters end abruptly with no conclusion or summary. Several times I thought "Is that it?" Chapters 2, 5, 7, 10, 13, 15, 18, 21 and 22 all end suddenly. The editor should have told the authors to end those chapters with summaries, as appear in other chapters. On a related note, some of the "chapters" are exceptionally short; Ch 9 and 12 are each 3 pages, for example. Chapters that short are an indication the book is not organized well.

The final issue involves discussion of various databases. I preferred the "Hacking Exposed" style of the 2003 book SQL Server Security, which included Dave Litchfield and Bill Grindlay as co-authors. That book spent more time introducing the fundamentals of database functions before explaining how to break them.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again

Set up an Amazon Giveaway

Amazon Giveaway allows you to run promotional giveaways in order to create buzz, reward your audience, and attract new followers and customers. Learn more
The Database Hacker's Handbook: Defending Database Servers
This item: The Database Hacker's Handbook: Defending Database Servers
Price: $36.63
Ships from and sold by