The SQL Injection Attack is alive and well.
-
Isn't that more the responsibility of a programmer than a systems administrator? I suppose a properly secured database helps (i.e., you can disallow arbitrary SQL code and only allow stored procedures to execute), but the main step is to not use code that allows for SQL injection.
IMO it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters. So, it's everyone's fault. Given the description of the hacked sites, I'm guessing this is the exploitation of a an open source or cheap product they all used in common, assuming that SQL injection would have been accounted for. It could even be an inside job from the developers of the common software.
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" — Hunter S. Thompson
-
According to this report[^]. It is difficult to believe that Systems Administrators are unaware of this exploit and yet numerous sites are still vulnerable.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
Yeah, exactly what aspdotnetdev said. SQL injection is an application level exploit.
Curvature of the Mind now with 3D
-
Isn't that more the responsibility of a programmer than a systems administrator? I suppose a properly secured database helps (i.e., you can disallow arbitrary SQL code and only allow stored procedures to execute), but the main step is to not use code that allows for SQL injection.
True, but I was basing it on the days when I was an SA. I set the rules and the coders had to stick to them.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
-
IMO it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters. So, it's everyone's fault. Given the description of the hacked sites, I'm guessing this is the exploitation of a an open source or cheap product they all used in common, assuming that SQL injection would have been accounted for. It could even be an inside job from the developers of the common software.
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" — Hunter S. Thompson
wizardzz wrote:
IMO it's the job of the DBA to allow only SP's
Ugh. I'm happy I don't work with those DBAs, or any DBA for that matter. :-D
Curvature of the Mind now with 3D
-
wizardzz wrote:
IMO it's the job of the DBA to allow only SP's
Ugh. I'm happy I don't work with those DBAs, or any DBA for that matter. :-D
Curvature of the Mind now with 3D
Haha, me too actually.
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" — Hunter S. Thompson
-
True, but I was basing it on the days when I was an SA. I set the rules and the coders had to stick to them.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
That's an odd relationship. Did they work for you?
Curvature of the Mind now with 3D
-
OriginalGriff wrote:
It was in with your Certificate
Speaking of, did you get yours yet?
Mine arrived last week, has yours not? I'm fibbing. 7th May was the date mine arrived last year.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
-
That's an odd relationship. Did they work for you?
Curvature of the Mind now with 3D
Yup. In the sense that I was head of the dept that employed them and conducted the interviews. LAN only stuff back then though. From the comments it would seem that things have changed more than a little since then.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
-
Mine arrived last week, has yours not? I'm fibbing. 7th May was the date mine arrived last year.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
Huh, I wonder why it takes so long.
-
Huh, I wonder why it takes so long.
Hamsters have problems gripping those fancy writing pens. Calligraphy! That's the word I was looking for. Calligraphy pens.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
-
IMO it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters. So, it's everyone's fault. Given the description of the hacked sites, I'm guessing this is the exploitation of a an open source or cheap product they all used in common, assuming that SQL injection would have been accounted for. It could even be an inside job from the developers of the common software.
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" — Hunter S. Thompson
wizardzz wrote:
it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters.
Neither helps with SQL injections. The only cure is using parameterized queries[^].
-
wizardzz wrote:
it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters.
Neither helps with SQL injections. The only cure is using parameterized queries[^].
quotename()[^] might help too in some cases (I think) :D
It's an OO world.
-
Isn't that more the responsibility of a programmer than a systems administrator? I suppose a properly secured database helps (i.e., you can disallow arbitrary SQL code and only allow stored procedures to execute), but the main step is to not use code that allows for SQL injection.
AspDotNetDev wrote:
but the main step is to not use code that allows for SQL injection.
A proper use of security would help as well. It's one thing to allow a user to type or inject "delete ...", it's quite another to actually authorise a user to do that. :)
Chris Meech I am Canadian. [heard in a local bar] In theory there is no difference between theory and practice. In practice there is. [Yogi Berra] posting about Crystal Reports here is like discussing gay marriage on a catholic church’s website.[Nishant Sivakumar]
-
wizardzz wrote:
it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters.
Neither helps with SQL injections. The only cure is using parameterized queries[^].
Parameterized queries work by sanitizing the inputs. They just do it for you.
-
wizardzz wrote:
it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters.
Neither helps with SQL injections. The only cure is using parameterized queries[^].
Not sure what you mean here? How does sanitizing input not help with SQL injection? The article you referenced actually just said that. Also, how is parameterized queries exclusive of SP's?
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" — Hunter S. Thompson
-
Parameterized queries work by sanitizing the inputs. They just do it for you.
Thanks Asp, I was wondering what the poster was talking about. None of the techniques I mentioned are mutually exclusive of parameterized queries, however, if either person in the roles I mentioned had done their part, it would help.
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" — Hunter S. Thompson
-
wizardzz wrote:
it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters.
Neither helps with SQL injections. The only cure is using parameterized queries[^].
Also, the advantage of allowing only SP's to execute (using database permissions) is that SQL injection cannot then execute arbitrary code. It can only execute SP's that the user in the connection string has been given access to. This can be used as a backup in the case that the programmer does not use parameterized queries.
-
Yup. In the sense that I was head of the dept that employed them and conducted the interviews. LAN only stuff back then though. From the comments it would seem that things have changed more than a little since then.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
That makes more sense. Typically the SA's I've worked with are deployment monkeys that just keep the OS running.
Curvature of the Mind now with 3D
-
AspDotNetDev wrote:
but the main step is to not use code that allows for SQL injection.
A proper use of security would help as well. It's one thing to allow a user to type or inject "delete ...", it's quite another to actually authorise a user to do that. :)
Chris Meech I am Canadian. [heard in a local bar] In theory there is no difference between theory and practice. In practice there is. [Yogi Berra] posting about Crystal Reports here is like discussing gay marriage on a catholic church’s website.[Nishant Sivakumar]
Indeed, it would help, but still doesn't prevent all forms of mischief. If you have an SP that deletes records of a particular type, then that may allow a user to cause some damage. The main form of defense is the code (parameterized queries).
-
According to this report[^]. It is difficult to believe that Systems Administrators are unaware of this exploit and yet numerous sites are still vulnerable.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
from the article:
Generally, the sites being hit are small businesses, community groups, sports teams and many other mid-tier organisations.
A lot of these would be single devs, possibly juniors getting experience. If I saw this from a senior dev, whoosh out the door. SQL Injection is sooo easy to stop it is ridiculous that it is still a threat.
Never underestimate the power of human stupidity RAH
