SQL Injection Attacks Increasing 384
An anonymous reader writes "Help Net Security has a story that covers the dramatic increase in the number of hacker attacks attempted against its banking, credit union and utility clients in the past three months using SQL Injection." Article follows up on press release with a little more information. Not a lot here shockingly surprising, but it's worth mentioning that SQL injection is a real pain for web developers. You have to be very careful about checking user input.
Qualifications (Score:5, Interesting)
A pain for who exactly? (Score:3, Interesting)
Which web developers would these be? MuppetsR'US ? SQL injection is a pain if you take the input and lob it directly to the database without doing any sort of validation that the information is sensible.
Its a great example of all those people who scream "THIS IS SO MUCH QUICKER TO DEVELOP IN THAN THE OLD WAY" and then bite it after the system goes live.
SQL injection isn't a pain, except for those who think they've found a new quick magic bullet that solves all the problems and the old fuddy duddy practices are now all redundant.
Re:Hard for Devs? (Score:5, Interesting)
Input checking is a half-assed solution. (Score:4, Interesting)
I continue to be in disbelief that anyone doing professional database work can *not* follow this widely accepted best practice and continue to be employed.
Re:Hooray for PHP! (Score:2, Interesting)
Re:serious question (Score:3, Interesting)
Re:Checking input is a "pain in the ass"?!? (Score:3, Interesting)
There is a lot of legacy code and lot of code that was never meant to see a production server, not every developer has the opportunity to work only on new applications. For any webdeveloper nowadays, it is trivial to make a *new* website safe from web injection, however securing an old crappy one is non-trivial.
this doesn't match my anecdotal evidence... (Score:2, Interesting)
Re:How difficult is it. (Score:3, Interesting)
I've never had 30 optional parameters but I've had quite a few and this
trick has allowed me to condense many statements into one.
If this trick doesn't work, you can also use IF statements and keep everything in one stored proc instead of multiple.
How to make SQL injection impossible (Score:2, Interesting)
There is a way to solve SQL injection problems: Disallow text literals in the database engine. Or even, disallow literals (including numbers) at all. This could be a setting in the database that is on by default, and only off for certain applications (ad hoc query tools). What do you think about that?
I'm thinking about implementing this feature in the database I write (http://www.h2database.com/ [h2database.com]):
This would be a persistent setting, and only an admin can change it.(Of course there are other security risks, like using 'customer id' in URL or hidden fields in a web application. Or relying on Javascript data validation. I don't know what to do about those problems.)
Re:Checking input is a "pain in the ass"?!? (Score:3, Interesting)
But ... but ... IT'S CHEAP! (Score:4, Interesting)
Simple: The people who write those insecure databases don't even know that those functions and features exist. Some ages ago, they learned a bit about SQL, maybe did a course about it (so they have a sheet of paper saying "Look, I can do it!") and that's it.
HR managers tend to go by papers, and by price. Now, who do you think is cheaper to hire? A person with a well rounded education concerning computers, programs and the fallacies, pitfalls and security issues around them, or someone who learned his SQL statements by heart and has no clue what exactly is going down inside the server?
Sure, both of them will create code that does what the specs say. As long as you only enter data according to spec (which is, interestingly enough, ALL that is checked, even under the SOA). The true quality of code is revealed as soon as you pit something unexpected and malicious against it.
Re:How difficult is it. (Score:2, Interesting)
I definitely don't think PHP is to blame for SQL vulnerabilities. Using it as a scapegoat most likely means you have no idea what you're talking about.
If I had modpoints, I'd mod your post up for all PHP haters to see.
Perl DBI is pretty good, actually (Score:3, Interesting)
In fact, Perl's DBI is not only fast, but when used properly (variable substitutions, binding variables, etc) it works extremely well. Also the fact that everytime you change your data source (CSV, XLS, MySQL, SQLite, MSSQL Server, Oracle, PostGres, etc) all your functions don't change. You can always count on:
If you're not doing some kind of column binding or type-casting on your form-derived query arguments, you are always leaving yourself open to sql injection.
== IT competence decreasing (Score:2, Interesting)
' or 1 = 1 --
for many, many sites on the Internet, regardless of user name.
The whiteboard came in when I had to explain *why it worked*...
_shakes head_
Its a pity... (Score:3, Interesting)
1. Use only prepared statements or stored procedures (Note even without concerned of SQL injection this is a good idea).
2. If you use stored procedures do not use any of the passed in values to generate dynamic SQL (otherwise you have just moved the problem from the app to the database).