How Prevalent Are SQL Injection Vulnerabilities?

Krishna Dagli writes to tell us of an investigation, by Michael Sutton, attempting to get an estimate of how widespread SQL-injection vulnerabilities are among Web sites. Sutton made clever use of the Google API to turn up candidate vulnerable sites. You might quibble with his methodology (some posters on the blog site do), but he found that around 11% of sites are potentially vulnerable to SQL injection attacks. He believes the causes for this somewhat alarming situation include development texts that teach programmers insecure SQL syntax, and point-and-click tools that allow the untrained to put up database-backed sites.

The abuse of SQL injection

[Reality Master 201]

destroys thousands of lives a year. Sure, it starts small - a SELECT there, a few INSERTS on the weekend. Eventually, though, you're using stored procedures and trying to score triggers in the middle of the night.

Just say no, kids.

Re:

[Reality Master 201]

Hey, thanks. People are stupid and humorless; you get inured to it after a while.

Re:The abuse of SQL injection

[Reality Master 201]

Yeah, but most people are still stupid and humorless. So, in the end, I come out ahead.

Unfortunately: Not Surpirsing

[charleste]

This is a possibility that was obvious back when I was developing web applications as far back as 1996 using CGI. The approach in TFA was a similar approach we used "back when" to demonstrate the need for (a) not using GET, (b) turning off verbose error reporting, (c) controlling *how* queries were made (e.g. architecture of the app and DB I/O), and (d) storing sensitive data encrypted. The sad part is that it is *still* a problem. I guess it underscores the need for a decent architect as opposed to letting whiz-bang do-it-yourselfers start coding without design, and the need for security analysis, et. Al. Just my 2 cents.

Re:Unfortunately: Not Surpirsing

[CastrTroy]

How does not using GET stop anything, you can POST anything you want to a webserver just like you can GET anything you want from a webserver. Only using POST will make things a little harder, but it doesn't stop anything.

Re:

[dgatwood]

Using POST doesn't make it any harder. It just makes the address bar less ugly.

IMHO, any web application should be written to accept both GET and POST. I'm very annoyed with USPS.com for this very reason. I have a small Dashboard widget that I use to track packages. Short of writing some custom redirect script on a server somewhere, I cannot construct a URL that I can use to create a clickable link to the tracking results.

I sent an email to the USPS webmaster and asked if there was anything they cou

Re:

[Goblez]

So you write a widgit that creates a request object and POSTs it to the server. It's the same info being sent, it's just how it's viewed in the addressbar.

Re:

[dgatwood]

You can't send a URL to another application with a POST request. If it isn't in the addressbar, it can't be part of a URL, so a Dashboard Widget can't make Safari display the page. So you only have three choices:

• Write a CGI on the web server that converts a GET request to a POST request, sends it to the USPS server, and returns the results.
• Write widget code that makes the POST request with xmlhttp, stores the results to a local file on disk, then opens that file in Safari.
• Write widget code that makes

Re:

[Amouth]

why not have it call a javascript function that takes the info and posts it to a new window .. not that hard.

or even have java script go get the damn thing and return it back

What about Google's Search by Number?

[slashd'oh]

Your post made me curious about how Google does it via their Search by Number [google.com] feature. For example, if you search Google for "usps " plus your tracking number (or just the number), the results will be preceded by a link to "Track USPS package..." I suppose your widget could use Google's custom redirect script, but why is the functionality restricted to Google?

Re:Unfortunately: Not Surpirsing

[Ford Prefect]

IMHO, any web application should be written to accept both GET and POST.

No. Web applications should use GET and POST where appropriate - GET for idempotent requests (showing database records, search results, those kind of recurring, non-database-changing things) while POST should be used for things which actually change data, user state, and so on.

Using GET in the wrong places [slashdot.org] can lead to all kinds of irritations and miniature security problems. Imagine sending an email to your web application administrator containing something like the following: <img src="http://example.com/webapp/user_admin?action=e dituser&username=me&accesslevel=administrator" width="0" height="0">...

Many web applications do get the two horrendously mixed up (I've seen search results done via POST, which is subtly, incredibly annoying) but they're definitely not interchangeable.

For simply displaying a non-password-protected package shipment page, GET would probably be the best solution. But blindly accepting both isn't a good alternative.

Re:

[Bogtha]

GET for idempotent requests (showing database records, search results, those kind of recurring, non-database-changing things) while POST should be used for things which actually change data, user state, and so on.

You are confusing idempotence and safety. "Idempotent" merely means that repeated requests have the same effect as a single request. You should use GET because it is safe, not because it is idempotent. For contrast, DELETE is an idempotent method, but it's certainly not a safe method. For

Re:

[Electrum]

IMHO, any web application should be written to accept both GET and POST. I'm very annoyed with USPS.com for this very reason.

This seems to work:

http://trkcnfrm1.smi.usps.com/PTSInternetWeb/Inter LabelInquiry.do?origTrackNum=99999999999999999999 [usps.com]

Re:

[dgatwood]

Thank you. Now why the &^#$^@ couldn't they have told me that instead of saying "Sorry, no GET url exists"!?! :-)

*sigh*

Re:

[TheSpoom]

You could probably create a clickable link if you could use Javascript as the onclick to postback to the URL in question. I know, an ugly hack, but it could work.

Re:

[budgenator]

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Headers;
use HTTP::Request;
my $hostname="http://localhost/cgi-bin/printenv";
my $lwp= LWP::UserAgent->new(timeout=>10);
my $h=HTTP::Headers->new;
$h->content_type('application/x-www-form-urlencod ed');
my $request=HTTP::Request->new("POST",$hostname,$h,$r equestcontent);
my $res=$lwp->request($request);
my $contents=$res->content($res);
print $contents;
exit();

Just make $requestcontent what USPS expects and change the URL as appropriate a

Re:

[OakDragon]

GET is to be used when requests make no changes to the data -- say when you're reading the database (like from the USPS website) -- and POST is to be used when requests change some data or state.

And there's a good, good reason (which many of you probably already know). If your site is indexed by a search engine, and you don't have a proper robots.txt file in place (or the search-bot ignores it), the bot can trigger data changes. Ouch!

RFC 2616 doesn't say anything about proper use

[omgwtfroflbbqwasd]

Are you referring to a different RFC? 2616 establishes the function for the various HTTP requests, among other things. The only recommendation that it provides is regarding sensitive data as part of a GET URI, from section 15.1.3:

Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where

Re:

[ehud42]

"SELECT `userID`,`user`, `password` FROM `table` WHERE `user` = 'trim($_POST['user'])'"


Ack! Nice demonstration of the code that is vulnerable to attacks!

My user id is '; drop database; --

Not a problem

[Firehed]

SELECTing `userID` when it's undefined really isn't a problem. Had you WHERE'd correctly (`userID` again, not just `user`), though, it'd have been a perfect demonstration of one of the most fundamental injection attacks.

Remember kids, NEVER trust user input. Escape things until the key is broken, then make the computer do it for you automatically.

Re:

[Tim C]

Hell of a typo if he did...

Re:

[Snover]

I hope not, since mysql_escape_string() will also allow for SQL injection by not respecting the character set of the MySQL connection. The PHP Group, in all its brilliance, decided to add another function, which they named mysql_real_escape_string(), rather than simply fixing the first one. /me sighs

Huh?

[TheLink]

How do a) and b) help?

Which "decent architect" designs a system where verbose error logs are sent to untrusted public users.

And which "decent architect" writes web apps where GET would inherently causes security problems.

In fact, post causes more problems if the target page doesn't issue a redirect, because then the form could be reposted. This shouldn't be a security problem of course (unless it's a login page), since duplicate posts should be handled gracefully. However with most browsers, users would be

Re:

[masklinn]

the need for (a) not using GET

WTF? GET has uses just as POST has uses. If a request is to be idempotent (read-only query), then it's a GET. Otherwise it's a POST (or a PUT, or a DELETE).

The fact that PHP fails at understanding HTTP doesn't mean that others do so too. For example, the web.py Python microframework behaves this way: you map URLs to classes, and these classes have any of 4 methods: GET, POST, PUT, DELETE (they can have others, but the others are not important). Each method is called when th

Re:

[arivanov]

Ahem. While this problem is prevalent in PHP/ASP(AFAIK pre .NET) code, it is long gone in most "sane" languages.

If you follow elementary "safe" coding conventions in Perl, Python or Ruby and use prepare() statements it is nearly impossible to write injectable code. I am saying "nearly" because there will always be an inventive idiot to write a code which can allow injection in any language.

Re:

[Lord Ender]

(a) not using GET

At this point, I realized you didn't know what you are talking about, and stopped reading your comment.

Re:

[Lord Ender]

Good point--especially if we're talking SSL.

Re:

[budgenator]

#!/usr/bin/perl

use LWP::UserAgent;
use HTTP::Headers;
use HTTP::Request;
my $hostname="http://localhost/cgi-bin/printenv";
my $lwp= LWP::UserAgent->new(timeout=>10);
my $h=HTTP::Headers->new;
$h->content_type('application/x-www-form-urlencod ed');
my $request=HTTP::Request->new("POST",$hostname,$h,$r equestcontent);
my $res=$lwp->request($request);
my $contents=$res->content($res);
print $contents;
exit();

whoo that was hard; all using POST is going to do is get you a slightly

Simple solution

[CastrTroy]

The simple solution is to use parameterized queries. I don't know why more books don't know why more books don't push this methodology, as it makes you program faster, easier to read, and also makes you invulnerable to SQL injection attacks.

Re:

[revlayle]

Indeed, the last few project I have done use COMPLETELY parameterized queries. The only time the SQL statement structure for a command is remotely dynamically built is to add additional caluses based on specific criteria and allows no user-generated input to actually build the clause specifics. With these practices, we have absolutely *NO* SQL injection vunerabilities.

The other side of the coin, that people still forget about, also, is data that is queried and made for display in HTML browsers. Without

Re:

[revlayle]

Interesting you bring up this example, as I am finishing up a contract project that does something extremely similar (searching on name, grade, and team). My method, programmatically speaking, is searching for a subset of employees. I have an Employee class with a "static" (I put this in quotes at it is a PHP4 class, where there is no specific keywords to indicate a method as static, just implicity used and documented as a static call as the method call is not executed against a class instance) method to

Re:

[RAMMS+EIN]

``The simple solution is to use parameterized queries. I don't know why more books don't know why more books don't push this methodology, as it makes you program faster, easier to read, and also makes you invulnerable to SQL injection attacks.''

I guess it's because they're cumbersome. I found this example:

SqlCommand command = connection.CreateCommand();
command.CommandText = "SELECT * FROM Customers WHERE CustomerID = @CustomerID";

command.Parameters.Add(
new SqlParameter("@Custo

Re:

[Fweeky]

Ew. An idiom I'm used to is:

query("SELECT * FROM Customers WHERE CustomerID = ?", customer_id)

Why do you need more?

Re:

[Goaway]

Here's why: PHP doesn't even support them out of the box.

PHP is quite probably the single biggest cause of SQL injection attacks on the web.

Re:

[mcrbids]

Anything made can be unmade

It's quite possible to escape characters and be certain that they won't be bypassed.

but it is staggering how many choose not to do at lease strSQL.Replace(";","BLAHBLAH - SIMPLEINJECTDEFEAT"); before executing SQL. Nobody needs to allow ";" in any query.

Which is just retarded. There are many cases where the semi-colon ";" is perfectly legitimately used. For example, this comment contains a number of them. This comment will be saved to a database. Thus, the SQL statement contains

Point and click tools

[also-rr]

The fact that tools can be used to put up insecure sites is not exactly a failing of the tool. The tool will have had a spec (even an informal spec) - which may have been "put sites up fast and let users sort out the security".

It's only a failure of the tool, or the developer of the tool, if the tool is marked as being a one step solution. Of course a lot are, there is no shortage of snake oil salesmen, and in that case they take 100% of the blame. However most rapid deployment tools contain a clear disc

Some kind of software checklist

[Realistic_Dragon]

There should be some kind of government run website somewhere.

You would answer questions and it would give you license keys to software that you were qualified to use. For example, I might tick:

Engineer (check)
Artist ( )
Manager (check)
Linux (Check)
Mac ( )
Windows ( )

And it would issue keys for website point and click installation software, Vi, apache and Latex - but deny me keys to powerpoint thereby saving the lives of people who might otherwise have to gnaw off their own leg to survive my 8 hour presentation on optimising synergisyms in a web 3.0 environment by sub molecular interactions.

testing methods

[Akatosh]

This 11% was determine by a weak testing mechanism. For every site that baltently spews sql errors to the user there are two that silently return a generic sanitized error, and another two that return no error at all. It would produce more results if you take it a step further and ask yes no questions, such as:

?id=99999' OR '10

and see if the page returns the results of id=10 as expected. It's also common for people to use weak regexp (regexp should NEVER be used to protect against sql injection, see mysql_real_escape_string) and miss some characters:

?id=99999)

or fail to sanitize non us language encoding. Also, get variables are often the most protected. It is much more common to find sql injection in <input type=hidden variables, or in cookie data. The number 11% is extremely low. I'd guess more like 80%.

Re:

[ecklesweb]

Depends on how you use a regexp. If you're defining the characters that are allowed in the user input, that's one thing. If you're defining the characters that aren't allowed in the user input, then you might as well not have wasted your time.

Re:

[tehshen]

regexp should NEVER be used to protect against sql injection

In Perl and Ruby, variables are "tainted" if they come from outside, and can't be used in sql or system. Running a string through a regex is the preferred way to untaint it. Your mysql_real_escape_string is the equivalent of a simple regex anyway (replacing characters with \characters).

Does Python have a taint mode? I know that PHP doesn't (shame)

The "Oh-Sh*t" face...

[moco]

From the article:

* Many development texts actually teach programmers insecure SQL syntax. ...
* Many sites are exposed to SQL injection attacks but don't know it.

I agree completely! I've seen the texts, I've seen the hordes of VB+SQL programmers that learned from said texts moving to the web porting the same "vices" to the new platform.
And I've seen the "oh-sh*t" face on a couple of developers after demonstrating to them that their software is vulnerable to SQL Injection. In both cases the vulnerabilities e

Re:The "Oh-Sh*t" face...

[valloned]

Microsoft VB.NET and ASP.NET texts are AWFUL in this regard. Nearly all examples use in-line SQL queries rather than paramaterized stored procedures. Why? Probably because they are trying to fit in with Microsoft's strategy that devoping applications should require absolutely no knowledge of code (or anything else for that matter). The big selling point for their VS 2005 suite is "no code required". That speaks volume.

Re:

[sevinkey]

You're right, all of the asp.net examples do just have in-line sql queries.

Dunno why anyone would not use ObjectDataSources for their data in .Net, with parameterized calls to stored procedures behind though.... not only is this more secure than uglying up your UI level code, it's more efficient, and lets you bind to generic List objects instantiated to your own classes rather than using DataTables.

Re:The "Oh-Sh*t" face...

[jrockway]

> Writing secure software is never easy.

It's easy if you use good tools. PHP is not a good tool. Rather than hacks like mysql_replace_the_string_with_things_that_wont_com primise_my_database(), you should be using tools that make it impossible to inject SQL.

Some ideas:

Perl's DBI, whose docs tell you to ALWAYS write SQL like:

$sth = $dbh->preprare('SELECT foo,bar FROM baz WHERE something=? AND another = ?')
$sth->execute(q{''Some\ things"'}, 10);

Notice that the programmer can't forget to escape the SQL -- because there's no escaping.

Even better is something like DBIx::Class, which lets you write

$resultset = $table->search({something => q{''Some\ things"'}, another => 10});

Again, no opportunity for the programmer to fuck up the SQL in any way. It's just like getting data out of the hash... DBIx::Class will generate the SQL (for any backend), run the query, stream in the results as needed, etc. It's easier and it's better!

Ruby on Rail's ActiveRecord is similar, but it's impossible to do certain types of joins. DBIx::Class is better in this regard. (And Perl is faster than Rails, and Catalyst is more complete rhan Rails :)... but both Ruby and Perl are MUCH better choices than PHP.

PHP makes it easy to write insecure code. Perl makes it hard! (With taint mode, a selection of ORMs, 10000+ well-tested modules, and nicities like Moose, Moose::Autobox, etc.)

Re:

[Nos.]

Or use the appropriate PEAR classes with php, like MDB2, which documents how to do prepare/executes. Don't suggest that PHP is worse than PERL because PERL has DBI, PHP has addons as well.

Re:

[soliptic]

(I asked this last time SQL injection came up, but I was too late, I got no reply, so I'll ask again...)

I don't understand how this magically fixes things.

In your example (yes, I realise it is just that, a quick example) you have 10 which is a constant. Now clearly if you were just doing queries with constants then there is no danger in doing a straight SELECT * FROM table WHERE something=10!

So your example obviously needs to replace "10" with "$numeric_var", ie $sth->execute(q{''Some\ things"'},

Re:

[XanC]

Prepared statements aren't there to guarantee that every datum you insert is the "correct" type for what you're trying to do. What they do is guarantee that nothing in your variables will be interpreted as part of the SQL command.

If I have "10; <naughty stuff>" in $numeric_var, it will attempt to insert (or select, or whatever) exactly that string, without interpreting it. The data may be useless, but it will not be executed.

Re:

[Ford Prefect]

And I've seen the "oh-sh*t" face on a couple of developers after demonstrating to them that their software is vulnerable to SQL Injection. In both cases the vulnerabilities exposed the customers to the posibility of serious financial damage.

Have you seen the 'oh, that's not a problem, we're using SSL so it's completely secure' face yet?

As for stupidest work-arounds - a site I was doing a vague security audit for (sans source-code, alas) was (is) rife with SQL injection vulnerabilities. On attempting to expl

Massively widespread problem

[shawnmchorse]

If anything, I'd question how FEW sites they claim are vulnerable to SQL injection. It's an insidious problem that just creeps up on you anytime you don't think about it sufficiently (as when writing something quickly, on a deadline... not that this ever happens!). I know that at my workplace we fell victim at one point to a SQL injection attack on one of our (many) custom PHP scripts. We eventually found out how it worked through the web logs and were able to fix it, but honestly even after we did our best to clean things up... I'm dead certain that there are still probably hundreds of places that we're still vulnerable. This is due to a number things including the sheer volume of PHP code in use, the fact that the code has been written at various points in time over a period of six years or so, and the fact that this code has been written by at least twenty different people. It's like trying to plug holes in a dam.

Re:

[drew]

It's an insidious problem that just creeps up on you anytime you don't think about it sufficiently.

If SQL injection attacks are creeping up on you, than you are using the wrong tools. If you are using any halfway decent database access library (and suing it correctly) SQL injection is a non-issues. Example, using Perl:

my $sth = dbh->prepare("select * from users where user_id = ?");
my $rv = $sth->execute($dangerous_user_supplied_var);

I know the same thing is possible in PHP (via PEAR:DB), although

Turn Key solutions broken?

[Bryansix]

Why are the point and click or turn key solutions so vulnerable to SQL injection in the first place? I had a friend with a PHPBB site that got shot to all hell when some cracker came along and defaced it. Why wasn't it secure out of the box? Second of all, why is it that every website has to worry so much about security. I know about databases but I don't know the first thing about preventing an SQL injection attack and why should I have to. There is nothing sensative on my sites. Let me throw out this analogy.

Let's say I own a house and around Christmas time I put out an inflatable snow man. Then some vandals come along and pop it. Are you going to walk up to me while I'm sulking over my snow man and say "Don't you know you have to wrap your snow man in kevlar to prevent vandalism and then put up an electified fence with constantine wire on it."? I would give you the strangest look if you did. Then I'd probably say something pertaining to the fact that the police should catch these bastards and presecute them.

So why is it with technology that no emphasis is put on catching vandals and bringing them to justice and a ton of emphasis is put on protecting your site from attack?

Re:

[cyber0ne]

So why is it with technology that no emphasis is put on catching vandals and bringing them to justice and a ton of emphasis is put on protecting your site from attack?

Because currently the latter is FAR easier than the former.

While I generally agree with the sentiment that it's not the web developer doing anything wrong, it's the hacker who's wrong... I would also argue that while, by not caring enough about security, the developer may not be "wrong," he is perhaps being "unwise."

Re:

[winomonkey]

Perhaps it would be more appropriate to use an analogy of vandals mortaring your snowman. For, you see, the problem with the e-vandals is that they are not actually physically present when they attack your snowman. Yes, there is proof that they attacked you, but chances are that determining their physical location is hard. Sure, you could look at the trajectory of the incoming projectile, but even then you are having to do a lot of imprecise and possibly flawed work to find out just where these attacks a

Re:

[RAMMS+EIN]

``So why is it with technology that no emphasis is put on catching vandals and bringing them to justice and a ton of emphasis is put on protecting your site from attack?''

Which would you rather have: people vandalize your website, but they get caught, or people don't vandalize your website?

Re:

[Bryansix]

Third option: People don't vandalize but not because it is impossible to vandalize but because people are afraid of getting caught.

Re:

[RAMMS+EIN]

``Why are the point and click or turn key solutions so vulnerable to SQL injection in the first place? I had a friend with a PHPBB site that got shot to all hell when some cracker came along and defaced it. Why wasn't it secure out of the box?''

With PHP, virtually anyone can write a web forum. And lots of people do. Unfortunately, not all these people are good coders. Not all of them are aware of the security risks. And PHP doesn't provide particularly secure APIs for SQL (or at least it didn't when I last

This is way low

[CaffeineAddict2001]

I've worked in web development a while and I find a SQL injection vulnerability in about 90% of the sites I've seen.

It is extremely common to have people just cut and paste the bare-bones tutorial code they find on the web and reuse that same pattern on every page in the site rather than centralizing it in a wrapper. So not only is the string not being cleaned, but it's also a huge pain to fix.

You don't need to bother with SQL Injection

[thewils]

If you search for "mdb" you can download the entire database without too much trouble.

I recently came across a commercial site where you could substitute, for instance, "(select first_name from users where id=1)" into the page url and a nice error screen came up telling you that it couldn't convert "George" into an Integer.

It's not the SQL Injection per se that is the biggest problem, but the nice error messages you get back giving you, more or less, a SQL command line interface. Errors should be detected and redirected to a sanitized page, or if you can't be bothered, an unceremonious crash.

I notified the owners of that site by the way.

Better APIs

[RAMMS+EIN]

I've written about this before. Basically, SQL injection vulnerabilities would completely disappear if better APIs were used [inglorion.net]. The problem is that queries are composed as strings, which have no intrinsic structure. The programmer creates structure by inserting certain characters (in particular, single quotes) in the string. However, the exact same mechanism is used to add user-supplied data to the queries. Unless the programmer is very careful, this allows the user to affect the structure (and thus the effec

Re:

[Goaway]

Most languages (Perl, Python, Ruby, for instance) have had better APIs for years and years.

PHP doesn't.

Re:

[RAMMS+EIN]

``The API that is available that prevents this is using parameterized
SQL where the SQL statement is managed/handled separately from the
parameter values. It is more complicated and requires more programming
than just shoving a hand built query at the database but it much more
secure. ''

That's not the only option. In my essay it shows a Lisp macro that
allows you to write queries pretty much as normal, but that still
escapes any data that comes from variables. More convenient than the
parameterized query APIs I've

Re:

[/dev/trash]

This is exactly why I use NanoBlogger.

Re:Return of the Flat File

[ip_vjl]

Won't work. The same 'novices' who leave gaping SQL injection holes will now be writing pages that need to access the file system. Now instead of accessing the DB, script kiddies will be traversing the filesystem. Yes, this can be mitigated through file permissions, but there are a lot of servers out there (set up by these same novices) where processes run as root and would have full access to read and write files. So, a bad script could allow them to write to /etc/passwd and have all sorts of fun.

No. That's a stupid idea.

[Reality Master 201]

Stupid application construction isn't a good reason to make the design of the app even stupider.

In the old days, everyone used flat files, because that's what there was. Then someone (several someones, most notably Codd and some others at IBM) realized that breaking the flat data into sets of discrete data that related to each other reduced redundancy and allowed for an overall better quality of data. And it wasn't app specific.

The answer to SQL injection is to test apps more completely (including tests f

Re:

[Stile 65]

Absolutely. Here are some rules to defend at multiple layers against SQL injections (using SQL Server as an example; YMMV on other DB servers):

- Run your web application as a user that connects to the database server and has rights only to SPs and views on the database; this works because the SPs and views have full access to database data, but the user can't access the data except through those pre-defined means

- Encapsulate calls to those SPs and views inside carefully constructed functions/objects/etc.

Re:

[Reality Master 201]

For a blog with 15,000 entries and 5MB of data, use Blogger or Typepad.

And, frankly, I don't think learning how to use the tools properly and how to test one's code is "overengineering." I think of it as competently programming the application. But I'm old fashioned.

Re:Return of the Flat File

[RingDev]

Why convert to an entirely different structure when just implimenting proper code standards will suffice? Using parameterized stored procedure calls instead of dynamic SQL will not only protect you from the vast majority of SQL Injection attacks, but will also improve the performance of your web page.

-Rick

Re:Return of the Flat File

[MagicM]

That, and/or bind [cpan.org], bind [sun.com], bind [php.net]. Concatenating user input into your SQL statements is bad on both security and performance.

Re:

[aztracker1]

In the case of .Net languages... Parameterized Queries [aspnet101.com]. should note, that the parameter formatting is slightly different for other database systems.

Re:

[RingDev]

Correct, SPs will not fix every possible exploit, but they will prevent someone from sticking a trunc command in to the middle of your dynamic select statement.

-Rick

Re:

[Nik13]

There's no need to go back to the stone age. Just use prepared statements/parameterized queries (along with the usual stuff like validating user input client *AND* server-side)

Re:

[zoeblade]

If the obvious fix is to exclude special characters from password fields, then why allow them by default to begin with?

Because that won't stop a wily hacker from using a tool such as curl to use those special characters as if they'd entered them in the password field. This has to be fixed at the server end, not the client end.

Re:Sure, blame the "untrained" developers....

[tuffy]

In short, trusting the client (i.e. the web browser) to not send bad values - either through the INPUT tag's maxlength attribute, JavaScript scrubbing or whatever - is entirely the wrong way to go. The web script must check all user input for validity along with properly escaping everything from the database that's getting sent back via HTML.

Re:

[masklinn]

Indeed, people need to understand that Javascript validation of forms is and should always be a courtesy to the user. It can always be avoided, and this means that client-side validation is done solely for the comfort of the user (so that he doesn't waste time making useless errorneous queries to the server).

This means that obtrusive client-side validations generating popups and shit everywhere are beyond stupid. Keep your JS error messages clear yet unobtrusive, because they will never stop someone who wa

Re:

[slamb]

In short, trusting the client (i.e. the web browser) to not send bad values - either through the INPUT tag's maxlength attribute, JavaScript scrubbing or whatever - is entirely the wrong way to go. The web script must check all user input for validity along with properly escaping everything from the database that's getting sent back via HTML.

It's not just "bad" values, unless you believe that all people with names like O'Malley are out to destroy your website. SQL Injection is a very simple problem: peopl

Re:

[Ford Prefect]

For instance, if my web forms want UTF-8 encoded output, is the user sending me UTF-8 encoded data? Or if I want the name field to be a maximum of 50 chars in the database, does the encoded string fit?

Try harking back to the good old days of programming, when men were real men, women were real women, and small furry creatures from Alpha Centauri knew how to write functions. Write something like this:

sql_string_sanitise( $string, $encoding, $max_length );

And you can do stuff like that, easily!

Re:

[slamb]

I use parameterized SQL queries so the notion of having to check/escape something as simple as single quotes hadn't occured to me.

Likewise, so neither of us have the problem this article is talking about. CVE's #2 error (which accounts for 14% of all reported security problems, and is present in at least 11% of this guy's web site sample) is really that basic.

As for your checks, I do things a little differently:

• In servlets, I typically let the servlet container and Java runtime take care of character

Re:

[patrixmyth]

That's a valid point, but doesn't contradict mine. If the server, by default, doesn't accept special characters in a password field, then that fixes most of these problems. Obviously, the password field isn't the only place where you can muck with the SQL, but if you're getting malformed fields from a valid userid and password, then you are much further along the path to shutting out the problem user who misused or had his access compromised. Cheers.

Re:

[dk-software-engineer]

If the server, by default, doesn't accept special characters in a password field, then that fixes most of these problems.

But then you couldn't make good passwords. Also, the password field isn't the only... oh wait, you said that:

Obviously, the password field isn't the only place where you can muck with the SQL

Exactly. So maybe you can't write "O'Hare" as a password, but with your method you couldn't enter it as your name. You just can't disallow special characters as a generic solution.

but if you're gettin

Re:

[dk-software-engineer]

I don't think you understand SQL Injection at all.

If the obvious fix is to exclude special characters from password fields

It's not. First of all, it wouldn't work. Second, it makes to sense at all at any level. Sorry if I seem rude. :)

There are a lot of new programmers (or whatever we're calling people who make websites these days), who are not naturally paranoid and sensitive to the exploitation of their code. They shouldn't need to be.

I agree, but it's a dreamworld. I shouldn't need to fiddle with keys or

Re:

[patrixmyth]

No worries. First, let me say IANAWD (I am not a web developer). It would not surprise me at all if my understanding of SQL injection vulnerabilities is less than yours. My understanding is that a SQL injection vulnerablity is when a user submits input to an interpreter that subverts the original intent of the script and produces a different result. I.E. I enter ' or '' = '' as the password field and that is passed through to SQL interpreter to read "where userid = 'user' and password = '' or '' = ''"

Re:

[legoburner]

Basically, your code will send an SQL query like this:
SELECT * FROM USERS WHERE USER_ID=3;

This might be assembled like this:
"SELECT * FROM USERS WHERE USER_ID=" + userID;

userID might be taken as a direct parameter from the front end and not sanitised. Even if user ID is a hidden form field, it would still be possible for someone to enter this (simplified for the sake of argument):
someurl.jsp?userID=1; DROP DATABASE DBNAME;

which would go through to your DB as:
SELECT * FROM USERS WHERE USER_ID=3; DROP DATABAS

Re:

[legoburner]

which would go through to your DB as:
SELECT * FROM USERS WHERE USER_ID=3; DROP DATABASE DBNAME;

should be
SELECT * FROM USERS WHERE USER_ID=1; DROP DATABASE DBNAME;
simple copy and paste error there oops

Re:

[dk-software-engineer]

It would not surprise me at all if my understanding of SQL injection vulnerabilities is less than yours.

It seemes that you understand the basics, but not the implications.

Instead of saying I'm ignant, edumacate me!

Here's some education: Don't get your education from slashdot! ;-)
But if you want to make sure you understand the basics of SQL Injection: http://en.wikipedia.org/wiki/Sql_injection [wikipedia.org]

The solution is a combination of several good practices in software development. First of all: Make sure you know whi

Re:

[jizziknight]

As some others have pointed out, there are tools to get around that sort of thing. You should be validating all input server side, whether it's validated client side or not. There are also very easy ways to deal with SQL injection already, such as parameterized stored procedures. Doing what you suggest would involve a hell of a lot of recoding, break a hell of a lot of existing sites, and proceed to punish good coders by making them work around the "safe-guard". Programmers who don't take steps to protect a

Re:

[CaffeineAddict2001]

This is kind of like saying we can prevent buffer overflow exploits by having the windows API not allow people to enter shellcode into textboxes.

Re:

[merreborn]

All the HTML standards in the world won't stop an attacker with a copy of telnet.

bash$ telnet example.com 80
GET /vulnerable_app.php?id=%2310 HTTP/1.1

Two things to note here: (1) there's no HTML involved in the actual transaction at all (2) like another poster said: you can't trust the client to send valid data.

Stick to purposing solutions for things you know about.

Re:

[patrixmyth]

Alright, back to my PHB duties, but if we only proposed solutions for things we know about, then we'd all still be picking termites out of logs with twigs. I still hold to my fundamental belief that some things are meant for professionals, ie installing ATM machines, and some things are meant for everyone, ie posting websites, and the level of safeguards has to take that into account. Some people may feel that the web should belong to the trained professionals, but personally, I'd rather see a lot of crap

Re:

[merreborn]

There's nothing wrong with the Joe Sixpack building his own website. The web wouldn't be what it is today, if it weren't for that. However, there is a problem with him developing software on systems open to the world.

Once you add executable code, and a database, it's not 'just a website' anymore. It's a program. And running amateurs' programs on the open internet is dangerous.

Re:

[Mister Whirly]

ATM = Automatic Teller Machines

"ATM machines" = Automatic Teller Machines Machines - definitley leave it to the pros, otherwise you may screw up on your "PIN number"

(Apologies for being a pseudo-grammar Nazi)

Re:

[poot_rootbeer]

This certainly seems to me to be a problem that needs to be addressed at the html standard level

I'm not following you. Why would a server-side exploit like SQL injection be addressed in a client-side display standard like HTML?

The 'type="password"' attribute of the HTML input element is nothing more than a style hint for the renderer -- characters typed into such an input should not echo back to the screen. Otherwise there's nothing that distinguishes it from a value taken from a text input, a checkbox, a

Re:

[CaffeineAddict2001]

IRL crimes have physical evidence and eye witnesses and still most people get away with it.

Considering somebody can break into your site from any one of a million unsecured WiFis from New York to Bangkok, i'd say prosecution is not going to be an effective method of deterrance.

Re:

[bestinshow]

Even if they did prosecute, it does you know good once they'd messed with your database or otherwise hacked you.

It isn't hard to secure an online application against SQL injection. So there's no excuses for the developer to write 'SELECT blah FROM table WHERE field='$forminput';' directly in their code is there?

Your example should be about you going to the police station complaining because you don't have a lock on your door, not because you need a paid security guard.

Yes, I agree that hacking crimes should

Re:

[RAMMS+EIN]

Well, of course the criminals who actually exploit vulnerabilities should be prosecuted, but that doesn't mean the developers should be left off the hook. If your code has injection vulnerabilities in it, it's buggy. Considering that injection vulnerabilities are easy to avoid, you should be ashamed if you code them. If your code is full of them (as many websites I've worked on were; not _always_ because I inherited the code), you're incompetent.

Re:

[budgenator]

Some places in Detroit, they'll steal the bricks off your house!
The internet is like the Wild West, the Sherrif is a bit crooked, and the Marshal is over worked. The no-good dirty rotten cattle russelers have gotten to good at keeping a border between them and the law so sometime you just have to get yourself a hired-gun to even things up for a while. Of course if you've brought up a gun-slinger for a job, it helps to point'em in the right direction. So to do that I'm collected the domains and websites that

Re:

[omeomi]

What I don't understand is how an SQL error message makes you vulnerable to a SQL Injection attack? Even if you are able to find out some of the tables and fields in a web-accessible database, you don't have the password to be able to execute your own queries...Is there just an assumption here that anybody stupid enough to allow a verbose error message like that would also have a database password like '12345'?

Re:

[arclyte]

Well, I have verbose error messages turned on on my local dev server to make debugging easier, but we log all errors on the live site, returning an "oops! something went wrong" generic error to users. Verbose errors can give you a lot of information, depending on what the error is.

First of all, it's going to tell a hacker what kind of system you're using. They'll probably find out anyway if it isn't apparent, but who wants to give them any help along the way? And then it all depends on what the error is.

Why errors are good for crackers

[omgwtfroflbbqwasd]

The SQL error message unto itself is not an indicator of vulnerability. It *is* an indicator that you were able to get input from the web form to manipulate/modify the SQL query (and break it). This is the first step in determining whether a given web app is even exploitable. If all you keep getting back is "invalid username" or a normal app response, it's unlikely that the app is vulnerable.

The trick to exploiting SQL injection is being able to figure out the right sequence of input characters needed

Re:

[cascadingstylesheet]

>Even if you are able to find out some of the tables
>and fields in a web-accessible database, you don't have
>the password to be able to execute your own queries...

If you can inject SQL, then *you* don't need the password. The web page sends the SQL to the database server.

Re:

[suggsjc]

...they were lazy and wanted it done fast

Rookie mistake. But little do they know that will end up spending orders of magnitude more time trying to "fix" it in the future.

Although the context is different. The best programmers I know are the laziest ones. Not in that they don't do much work, but that they have extensive knowledge of tried and true libraries. They don't reinvent the wheel.

To bring this back full circle, being able to use both a modular AND mature filtering process would be a GIANT le