SQL Injection Attacks Increasing 384
An anonymous reader writes "Help Net Security has a story that covers the dramatic increase in the number of hacker attacks attempted against its banking, credit union and utility clients in the past three months using SQL Injection." Article follows up on press release with a little more information. Not a lot here shockingly surprising, but it's worth mentioning that SQL injection is a real pain for web developers. You have to be very careful about checking user input.
Another web developer pain... (Score:5, Funny)
How difficult is it. (Score:4, Informative)
Most languages provide the functionality to do that (in php: intval() for all integer request vars, and _escape_string() for string data.).
It's just a small amouth of work, yet a lot of people are way to lazy.
Re:How difficult is it. (Score:2, Informative)
Re:How difficult is it. (Score:5, Informative)
Here is an example, taken straight from PDO's page:The framework is there, PHP developers need to make use of it, but sadly things like the following are still common:
Re:How difficult is it. (Score:2)
Frankly, this will continue until doing it the "right" way is almost as easy as doing it the quick hack way. The api should be:
bind_query('SELECT value FROM REGISTRY WHERE name = ":name"', name=$name);
I don't think this is possible in PHP, unfortunately, but the language ought to be extended to allow it. Many other languages can do it. This on
Re:How difficult is it. (Score:3, Informative)
However, I agree with you, PHP should have had a DB layer from the start, another problem with PHP is that it attracts uneducated users who read a couple of PHP/MySQL tutorials before writing their first vulnerable query, that's why I believe one should read Essential PHP Security [slashdot.org] (Or a similar book/online reference) before using PHP, otherwise there is a very good chance
Re:How difficult is it. (Score:3, Insightful)
Re:How difficult is it. (Score:3, Insightful)
Re:How difficult is it. (Score:3, Informative)
www.mysite.com/login?username=dave&password=mypwd
you would do something like and see if a 'username' was returned:
"select id from users where username='{$_GET['password']}' and password='{$_GET['password']}'"
To attack that code, you would do this:
www.mysite.com/login?username=admin&password=mypwd '+or+test='test
that would run this code:
"select id from users where username='admin' and password='myp
Re:How difficult is it. (Score:2)
You can program incorrectly in any language. Plenty of people still sprintf into SQL statements and directly execute them with no params instead of prepare-ing them first and doing an execute with parameters. They do it with perl, python and other languages.
A large portion of the programmers out there simply do not understand and do not care about the difference in security and performance between sprintf used with static-like SQL and proper dynamic SQL with parameter replacements. In
Re:How difficult is it. (Score:4, Insightful)
Wow! How intelligent, I expect this to be modded up before I ever post...after all this is slashdot.
Quite honestly, as a programmer, I expect the applications to do as I ask them to, and not hold my dick at every opportunity. If I want something passed to a SQL statement in the way I've asked it to, I don't expect my data to be munged by the application to protect me.
I'm sorry, but this rash of piss poor programmers that don't know how to program, nor care to do any security on their own part is a problem unto themselves and not a symptom of an interfact that completely sucks. Folks that make blind statements about folks who suck generally are the ones wiping their lips afterwards from the sweet juice of man-gina.
I've been programming for nearly 20 years. I've used probably a dozen languages and every year I hear from the kiddies about how much more one app needs to do for you than the other. And usually its a bit more convenient and thus I generally adopt the language that helps get things done quicker. At the same instance, I never forget its me that has to be assured of the security and understand the lower level concepts so that if someone isn't taking this into consideration with this particular release of their language you'll be fucked (and its happened to me before in off version releases of 'secured' 'programming languages' -- luckily I was immune in most instances).
So if anyone is missing a point, its the guy stating there is only one database iterface for Perl, the guy that believe perl is a decent language to write in (in my 20 years of programming and teaching an upper level computer science theory course at one point), perl has been the only language I've decided to entirely skip after realizing how bad it really was and the fact it was designed solely to appease geeks that wanted to repell the opposite sex. You'd find more readable code programming in Klingon, to put a statement that you might understand.
Seriously, if I had mod points today, I would have simply modded every post of yours down today, but I decided to respond anonymously, and I hope mine gets modded down just as yours does. If you are going to write something ignorantly, write it anonymously where most of us can ignore it.
Re:How difficult is it. (Score:4, Insightful)
Let me get this straight: you are condemning a programming language but championing the language it spawned.
As for your comment:
Bwahahaha!! Since when is escaping a single-quote considered an attempt to "hold your dick"? Simple string concatenation for the creation of database is always a bad idea, even for 20-year veterans like you. The last time you were coding at 4am, were you as sharp as you were at midnight?
Also you are falling into the same pseudo-libertarian trap (tripe?) that many programmers seem to these days. You think that as long as you are doing the right thing, who cares what someone else does? In fact, ridiculing others is a sufficient solution to most problems.
It's not.
SQL injection attacks affect me when it's my bank. When was the last time you personally interviewed the web development staff at your bank or credit union? How do you know they are as good as you are? Considering the fact that binding variables is as fast or faster than simple string concatenation in most cases (in some cases, they can be converted to stored procedures transparently on the back end), I have exactly zero problems with a language "holding some dicks" in the name of security. Especially since there is no speed loss in the process.
Correctness, not "what works." It's the difference between modern chemistry and alchemy. You might end up with the right result, but only with trial and error... mostly error.
But perhaps this all points to a greater Slashdot problem: too many people who refuse to get their dicks held once in a while. In more ways than one.
Perl DBI is pretty good, actually (Score:3, Interesting)
In fact, Perl's DBI is not only fast, but when used properly (variable substitutions, binding variables, etc) it works extremely well. Also the fact that everytime you change your data source (CSV, XLS, MySQL, SQLite, MSSQL Server, Oracle, PostGres, etc) all your functions don't change. You can always count on:
Re:How difficult is it. (Score:3, Insightful)
Someone who has "skipped Perl entirely" while using PHP, certainly needs to check their head.
For any doubters:
http://tnx.nl/php [tnx.nl]
http://czth.net/pH/PHPSucks [czth.net]
PHP - training wheels without the bike indeed.
Re:How difficult is it. (Score:4, Insightful)
Because the modern CPU has rendered the need for compiled languages pretty much to nothing.
There are times I will revert to a C backend for functionality that needs massive processing without a lot of connection to the outside world. I've done this on a recent project where I needed to analyze text to parse into a synopsis. Early prototypes of the workflow used both PHP and Perl because I like the readability of PHP but one of my lead developers likes the textual nature of Perl...I actually agreed with him on this point and allowed him to design the prototype in this so that we could tweak the algorythm in realtime without having to do a 30 minute compile each time -- which is about how long it takes to do the final C routine. As a development and prototyping language, it worked out, but was slow. It was also very hard to understand mixed with idiosynchratic perl and higher level mathematical formulae to derive this. The C was much cleaner.
If it wasn't for the textual nature of Perl, I would have never allowed it to be used. I ended up keeping a second set of code developed in parallel that by the end was actually easier to maintain and faster than Perl in PHP. Both were several factors slower than the compiled application regardless of how you looked at it.
"why wouldn't you want to use something that is even more convenient?"
Because convenience doesn't mean that you shrug off the responsibility of protecting your code, or using good practices simply because someone else might have put it into their application. If you are doing simple queries, you can easily encapsulate your request and be done with it. Fuck, thats what stored proceedures are for and you don't need any fucking programming language to do that correctly. Work with anything that requires more than a single join and a simple where statement and you give the user the ability to shape this, and you've gone beyond the ability of stored proceedures and views or the simple data encapsulations that you are offered in these languages. Probably why I see all these Perl and RoR applications that make a hundred calls to the database to get one tables worth of information and I find this a limitation.
There are reasons and advantages to use a lot of languages...folks that don't understand this are doomed to keep using the same tools that they did 50 years ago with no advancement.
Re:How difficult is it. (Score:5, Insightful)
Re:How difficult is it. (Score:3, Informative)
It is both easier, and much more secure.
Re:How difficult is it. (Score:3, Informative)
No need to run any silly escape functions as long as you use constant SQL strings and let the framework build your query strings.
-matthew
Re:How difficult is it. (Score:3, Informative)
With a more strongly typed language, there is no excuse for passing unescaped strings.
Re:How difficult is it. (Score:5, Informative)
I've been doing that for years without any problems.
I've also never had any issue with "business logic". I can keep my business logic
seperate with stored procs. (I never understood that argument against them.)
Re:How difficult is it. (Score:2)
Re:How difficult is it. (Score:5, Informative)
2) USE SOURCE CONTROL. Without trying to be nasty, you're insane (or a one man operation) if you use the database as your authoritative source for stored procs. If you have any environments beyond a production server, the ability to script installation/alteration of procs is essential.
Re:How difficult is it. (Score:3, Informative)
3)600 procs?? It sounds like you've put too much in one database. I've seen groups do this and it usually leads to scalability problems. I'm not talking about multiple servers; just spliting things up catagorically into multiple databases in the same instance. In sql server they're called databases, in Oracle they're called schemas....not sure about db2 or sybase.
The end result is you have all your customer related data and associated objects (views, sto
Re:How difficult is it. (Score:5, Informative)
Bingo!
but then you have to have 2 copies of everything.
Stored procedures (like any DDL statements to set up your database schemas) should be handled like any other source code and treated as such. This includes version control
There seems this "but I can pull it out of the database with my super GUI tool, so why should I keep it on file too?" attitude. Well, duh; it's mighty hard to pull anything of a database whoms disk just crashed.
For recoverability reasons database objects (including stored procedures) should be scripted and version controlled. Period.
Re:How difficult is it. (Score:2)
--trb
No! Not stored procedures! (Score:3)
Then you set item 1 to some value, item 2 to another, etc. Other variations exist as well:
Re:How difficult is it. (Score:3, Informative)
--trb
Re:How difficult is it. (Score:3, Interesting)
The where clause basically says, if the optional parameter is not the default then check it, otherwise ignore it.
I've never had 30 optional parameters but I've had quite a few and this
tric
Re:How difficult is it. (Score:2)
For most web applications, stored procedures are overkill and just too time-consuming to implement. If you have a relatively uncomplicated database (which is the case with 90% of web applications, I'd guess), then ad-hoc queries allow much faster development time. Even if you do make the effort to properly quote all your strings, and convert your numbers to numbers rather than using them directly.
Re:How difficult is it. (Score:3, Insightful)
Re:How difficult is it. (Score:5, Informative)
If your stored procedures are only very thin layers encapsulating low level database access operations (thus not much more than pre-packaged selects, updates, inserts and deletes) you should have no business logic in the database problems.
On the other hand there's a couple of downsides to such a design:
- It requires developers with a good level of expertise in both the language used to develop the core of the application and the one used for the stored procedures. This is true both for initial development and for maintenance.
- It makes an application tightly couple to the database. If you want to port to another database, at the very least you will have to redo all the stored procedures.
- It increases the likellyhood of having version conflict problems between the core application and the database application components. More specifically, the data-model is usually more stable across versions of the application than the actions executed on data in that model (eg "find all employees in more than Y departments and whose manager is level X"), and thus if you store in the database code which is tightly couple to the actions that the application executes on the data then previous versions of the database (for example, those restored from a backup) are not likelly to work with the lastest version of the application (nor are they likelly to be easilly "fixed" by a DBA).
- It's harder to debug code that crosses platforms and languages
More in general, the problem of SQL injection can be avoided simply by using prepared statements or any other type of SQL query that takes input parameters instead of using string concatenation to make SQL queries that include the input values.
Using stored procedures to solve this specific problem is very much overkill.
Beyond this, the only good reason i can see for using stored procedures like this is for performance reasons if you do some level of post-processing on the results or some sort of "smart" block updating of data. In this case, stored procedures should only be used in a very small number places (to solve high-impact IO bottlenecks between the application and the database) and not in a generic way.
The last couple of reasons i see for such a design are:
- A "job protection" measure by locking the application to the specific skillset combination of a specific developer
- Because the developer prefers-to/is-more-confortable-with developing code in the database that in the core application
Hardly good reasons IMHO
Re:How difficult is it. (Score:2)
No no No no No no NO (Score:5, Informative)
Just don't build your query on the fly.
Bind ALL parameters to placeholders in a prebuilt query. Binding is an instant kill for any SQL injection attack. It is also much more effecient on many databases.
Re:No no No no No no NO (Score:5, Insightful)
That bears reiterating. If you are passing user input to a database in anything but a bind variable, you are incompetent. Period. End of story.
I've seen it so many times. Why do programmers think that it's a good idea to write their own escape routines when every database has a facility for denoting what is variable data and what is not? Unbelievable.
Re:How difficult is it. (Score:3, Informative)
In this case it depends on how many kinds of things you want to do with data. For simple stand alone applications, like a blog or something, it probably isn't much. Most insertions, updates and queries probably happen behind a DAO pattern anyway; it's easy to enforce semantic checks there, and it's no big deal if the data is stored in some kind of garbled looking encoding. But in the post internet bubble world, databases h
I Do Web Programming For A Major University (Score:3, Insightful)
I still have to write some fairly secure applications (if they get breached there won't be any terribly sensitive information, but there are some thi
Re:I Do Web Programming For A Major University (Score:3, Informative)
a) nobody sees it as a big priority, and since "something is already in the works" that's good enough for them.
b) I'm a student and I am arguing my case against a "professional staff
Injection preventation doesn't need input checking (Score:2, Insightful)
Re:Injection preventation doesn't need input check (Score:4, Informative)
that would be PHP.
Quit spreading FUD. PHP supports parameterized SQL just as well as any other language I've worked with. See, for example this doc page [php.net] (search for "Example 2"). Even for databases whose native C APIs don't support the feature (i.e. MySQL), the database abstraction layer PEAR::DB that is distributed with PHP provides emulation [php.net].
Qualifications (Score:5, Interesting)
Re:Qualifications (Score:2)
Re:Qualifications (Score:2, Insightful)
Checking input is a "pain in the ass"?!? (Score:5, Insightful)
Re:Checking input is a "pain in the ass"?!? (Score:3, Informative)
It's actually worse than that, not only is security not adequately discussed, in a huge number of cases, sample code is given that is totally insecure. Newbies are being taught to write insecure code by ignorant tutorial authors.
I'm not sure why, but there's something about web development that makes people with the tiniest amount of knowledge
Re:Checking input is a "pain in the ass"?!? (Score:3, Interesting)
Re:Checking input is a "pain in the ass"?!? (Score:2, Insightful)
90% of the friends I have who are web developers have no formal engineering training.
It shows. (No offense to any of them who may read this... but seriously, your code sucks.)
Re:Checking input is a "pain in the ass"?!? (Score:2)
Re:Checking input is a "pain in the ass"?!? (Score:2)
It shows. (No offense to any of them who may read this... but seriously, your code sucks.)
It's not just web developers. Look at the average OSS application. Hell, look at 'ssh', one of the fundamental tools sometime. It's unbelievably bad uncommented spaghetti crap.
The problem with software is that it's easy for anybody to jump in and do it... and it shows.
Re:Checking input is a "pain in the ass"?!? (Score:3, Interesting)
There is a lot of legacy code and lot of code that was never meant to see a prod
Hard for Devs? (Score:3, Insightful)
Re:Hard for Devs? (Score:5, Interesting)
Re:Hard for Devs? (Score:4, Informative)
You're approaching it with the wrong mindset. A database API shouldn't check for SQL injection attempts, it should encode the input appropriately. Avoiding SQL injection attacks is just a subset of correct operation, as anybody with an Irish surname could tell you.
As for an example, well with Python's DB-API 2.0, you write code like this:
It doesn't matter whether quux has apostrophes, it gets automatically escaped because the API is designed as an interface to input data, not an interface that accepts data that has been specially prepared and cannot be distinguished from data that hasn't been specially prepared.
Re:Hard for Devs? (Score:3, Informative)
Here's an example of parameterized queries in Java:
A pain for who exactly? (Score:3, Interesting)
Which web developers would these be? MuppetsR'US ? SQL injection is a pain if you take the input and lob it directly to the database without doing any sort of validation that the information is sensible.
Its a great example of all those people who scream "THIS IS SO MUCH QUICKER TO DEVELOP IN THAN THE OLD WAY" and then bite it after the system goes live.
SQL injection isn't a pain, except for those who think they've found a new quick magic bullet that solves all the problems and the old fuddy duddy practices are now all redundant.
Interesting... (Score:2)
Re:Interesting... (Score:2)
Re:Interesting... (Score:2)
Re:Interesting... (Score:2)
Input checking is a half-assed solution. (Score:4, Interesting)
I continue to be in disbelief that anyone doing professional database work can *not* follow this widely accepted best practice and continue to be employed.
Re:you NEED that half of your ass (Score:3, Informative)
You don't need to, that's what constraints are for in SQL.
Yes, you should still check to make sure the integer is a proper value so you can display a good error message, but if data is supposed to be constrained in some way, you really should have that constraint specified in the SQL schema itself. SQL provides tools for ensuring data integrity, they should be used!
Runs off to check latest MySQL documen
Use PreparedStatements with Java (Score:5, Insightful)
Re:Use PreparedStatements with Java (Score:2)
Re:Use PreparedStatements with Java (Score:4, Informative)
You should stipulate that you must bind all parameters to placeholders. You could use PreparedStatement the same way as Statement and have the same problem. Bind all parameters, no matter what language you are using.
Re:Use PreparedStatements with Java (Score:2)
Re:Use PreparedStatements with Java (Score:5, Informative)
String SQL = new String("select * from user where username = '" + username + "'");
PreparedStatement statemnet = connection.prepareStatement(SQL);
That does *nothing* for you, and is just as insecure. Instead, make sure you use parameterized statements:
String SQL = new String("select * from user where username = ?");
CallableStatement cs = connection.prepareCall(SQL,
cs.setString(1, username);
Most databases treat the two very differently. In the second case, the database compiles the statement and then compares the username field with your value. In the first, your value is inserted and then compiled, allowing injection.
--trb
Re:Use PreparedStatements with Java (Score:2)
Re:Use PreparedStatements with Java (Score:2)
Working in the QA department for a database vendor ( -- shameless plug -- Intersystems Cache [intersystems.com] --) I can tell you that working with parameters is not all that much more difficult than blind SQL. Most languages can create bound parameters in a single extra line of code.
Note that the statement about being much faster really does depen
Pain for web developers? (Score:2)
Sure, if I'm putting together a blog for myself security may not be my top priority and in a situation like this the "I'm too lazy and this is a pain in the ass" excuse is fine (just dont complain if things go wrong).
However, it's an alltogether different story if you're doing professional web development - the "I'm lazy" excuse doesn't cut it when you're developing something commercially. It is your job to make a functional application and a (large) part of that is making it resilient towards exploits. H
Re:Pain for web developers? (Score:2)
This is great. I never knew people had blogs just for themselves. But may I ask, on the off chance that you and your insights were actually worth reading about would you give a thought to those commenting on your weblog? Their email addresses? usernames, passwords? How many of them will use the same password for their email as they wi
serious question (Score:2)
With all my Web Apps I create a function called SafeChar, and have it replace the ' with '
How else is SQL injection done? It's an embarrassing questions to ask, and fortunately I write software for small companies internal use only... but if you don't ask I guess you don't learn.
Re:serious question (Score:3, Interesting)
Re:serious question (Score:2)
There's also fun games you can play within/amongst the various encodings.
It depends on what step of the input parsing your SafeChar function is.
No. (Score:2)
Re:serious question (Score:2)
No. For example, an attacker could use a backslash as the last character in a string, and it would escape the quote you provide to delimit the string.
Trying to roll your own escape function is insanity. Don't do it. Every database API in existence provides well-tested escaping functions. Use them.
Sounds to me like your
Karma to burn: Why Slashdot is OK (Score:3, Insightful)
The responses to the serious question post are an example of what's good about
OK, back to your regular
Solution for PHP programmers (Score:3, Informative)
Make sure you use mysql_real_escape_string() on all incoming data that is headed for the mysql database (to get rid of SQL injection).
Make sure you use strip_tags() on all incoming data that is headed for output on your page (to get rid of cross-site scripting).
Re:Solution for PHP programmers (Score:4, Insightful)
Please don't do this, it's bloody annoying when half your input gets chucked away because you used a special character. I really don't see why that function ever existed, it's a total fuckup and completely unnecessary when things like htmlspecialchars() exist. Encode your user-supplied data properly, don't simply chuck bits of it away.
Re:Solution for PHP programmers (Score:2)
Good book (Score:2)
It's worth mentioning... (Score:2)
it's worth mentioning that SQL injection is a real pain for web developers.
I think it is worth mentioning that SQL injection is a real pain for poorly developped web applications. A simple paying-attention and good design of the application layers makes sure SQL injection cannot happen at a cheap cheapo price. 3-tiers anyone?"Careful" vs. "correct" (Score:5, Insightful)
This phrase is a common tipoff to one of the main problems.
The computer doesn't give a damn how careful you are. If you spend hours carefully crafting a chunk of code that, through your ignorance, has a big security hole, all your care hasn't helped a bit. You have merely produced bad code.
OTOH, someone with good knowledge of the subject might toss off a 30-second routine that, due to their understanding, is highly secure.
Carefulness has little to do with doing a good job. Carefully doing it wrong is merely doing it wrong, no matter how careful you are. And doing it right is doing it right, even if you hardly gave it a thought.
What we need here isn't useless exhortations to "be careful". What we need is education about how code gets into trouble, and training in writing code that doesn't have problems.
Yeah, I routinely write code that checks input. But if there's some hidden gotcha that I don't know about (typically in some library routine that's not visible to me), I'm quite aware that my careful checking might do little good.
mysql_real_escape_string (Score:2)
Just stick it [php.net] around any non-constants you pass in to MySQL (especially ALL user input or user-influenceable input) and you should be good.
Of course, to minimize the risk that you miss one, you might want to use functions or classes to wrap mysql_query. EX I might make a "function selectFromTableX" that takes one field name and one value to compare for equality in the WHERE clause (assuming that's all I ever use SELECT on that table for). Or you can make a class for every table and wrap up ALL queries f
Multi-tiered approach (Score:4, Insightful)
First rule of writing CGI: never trust the data! I work in Perl, and when an app is exposed to the outside world, I have to assume someone is going to try and get in through some hole if they can (or worse, will do something stupid that would have a negative affect oon my systems).
It starts with the web page -- validate input data. I know, I know, anyone can copy your page and rip out the JavaScript validation, but it doesn't hurt to put up a first line of defense. Next, before you actually use the data from the form for anythig validate it separately. In Perl, I have taint mode enabled by default for external apps and I treat all the data I receive as if it were dog crap. I massage it with regexes to make sure it is what it's supposed to be, and then pass it on to be processed. I find the best way to put up a wall is to have the form parameters sent to a validation script, then have the validation script call the script which would run the actual query, throwing back an error message to the user (and sending me a message in the process) if something's not right.
Data validation is really not that hard, especially if you know exactly what the inout is supposed to be. It gets iffier if the user can put in pretty much anything -- then you have to be a little more paranoid.
Dynamic 'WHERE' clauses (Score:5, Informative)
- Stored Procedures
- Parameterized Queries
- Learn the SQL-92 Specification (so that you're familar with the language beyond just SELECT, INSERT, UPDATE, and DELETE. There are all kinds of things out there to help you get rid of that dynamic code, like COALESCE, and CASE WHEN, etc.)
Here's the SQL-92 Specification [cmu.edu] (pops in a new window)this doesn't match my anecdotal evidence... (Score:2, Interesting)
Have to be very careful about checking user input? (Score:2)
SQL Euphoria (Score:5, Funny)
How to make SQL injection impossible (Score:2, Interesting)
There is a way to solve SQL injection problems: Disallow text literals in the database engine. Or even, disallow literals (including numbers) at all. This could be a setting in the database that is on by default, and only off for certain applications (ad hoc query t
But ... but ... IT'S CHEAP! (Score:4, Interesting)
Simple: The people who write those insecure databases don't even know that those functions and features exist. Some ages ago, they learned a bit about SQL, maybe did a course about it (so they have a sheet of paper saying "Look, I can do it!") and that's it.
HR managers tend to go by papers, and by price. Now, who do you think is cheaper to hire? A person with a well rounded education concerning computers, programs and the fallacies, pitfalls and security issues around them, or someone who learned his SQL statements by heart and has no clue what exactly is going down inside the server?
Sure, both of them will create code that does what the specs say. As long as you only enter data according to spec (which is, interestingly enough, ALL that is checked, even under the SOA). The true quality of code is revealed as soon as you pit something unexpected and malicious against it.
As a banking internet security guy . . . (Score:3, Insightful)
God lord!
We require 3 layers of data validation (as part of the web interface, as part of the middle-ware layer, and within the database as triggered stored procedures for updates and inserts.)
Not doing this SHOULD be criminal in my mind.
Once upon a time. (Score:3, Insightful)
I started a tcpdump -xX port 80 and host her.host Because everything was being passed plain text we could see everything in the uri. After a quick nmap -vv -sV -P0 her.host I connected via telnet her.host 80 After the required http 1.1 hello stuff I started submiting commands to her cgi script; alpha characters instead of numeric, big decimal numbers, negative values... It didn't take long for her to decide to rewrite it.
Its a pity... (Score:3, Interesting)
1. Use only prepared statements or stored procedures (Note even without concerned of SQL injection this is a good idea).
2. If you use stored procedures do not use any of the passed in values to generate dynamic SQL (otherwise you have just moved the problem from the app to the database).
Re:Hooray for PHP! (Score:4, Insightful)
Re:Hooray for PHP! (Score:2, Interesting)
Re:Hooray for PHP! (Score:2)
No, you don't, unless you are either using an utterly shitty language like PHP that doesn't have built-in protection from SQL injection, or you are going out of your way to make your program insecure by using string interpolation in your queries.
I'm not a PHP guy, but from what I can see it's not a language issue. Or, at least it's not primarily a language issue, although admittedly loose type checking contributes to the problem. It's a library/API issue.
IIRC PHP 5 has the equivalent of prepared statements
Re:Hooray for PHP! (Score:2)
The old ADO also had paramaterized query support, although they weren't as easy to use as in
Re:I'm not very experienced with SQL Security... (Score:2, Insightful)
Re:I'm not very experienced with SQL Security... (Score:2)
Re:I'm not very experienced with SQL Security... (Score:4, Insightful)
Many people use non-alphanumerics in their email. I, for example use underscore.
With the gradual movement of the web to non-latin URLs, too, the need for the acceptance of all printable Unicode in webforms has never been greater.
And as has often been pointed out, you can reduce the risk of your passwords being susceptible to dictionary attacks by using wierd (or perhaps unprintable) Unicode characters. Web & DB devs should do well to note that - I dislike sites immensely that restrict me to alphanumeric passwords - I'd like to use whatever alphabet I choose, to make my password more secure.
I'm not saying that input validation is a bad idea. It just needs to accept and validate input in any appropriate language - which for things like "Name" could be anything, even if the user is an anglophone. Some fields, like DOB, or numeric fields are easily validated - others like "Name" would be better cross-checked against a list of banned inputs, and escaped (or use parameters).
Re:What about magic_quotes_gpc (Score:3, Informative)