The SQL Injection Attack is alive and well.
-
True, but I was basing it on the days when I was an SA. I set the rules and the coders had to stick to them.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
That's an odd relationship. Did they work for you?
Curvature of the Mind now with 3D
-
OriginalGriff wrote:
It was in with your Certificate
Speaking of, did you get yours yet?
Mine arrived last week, has yours not? I'm fibbing. 7th May was the date mine arrived last year.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
-
That's an odd relationship. Did they work for you?
Curvature of the Mind now with 3D
Yup. In the sense that I was head of the dept that employed them and conducted the interviews. LAN only stuff back then though. From the comments it would seem that things have changed more than a little since then.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
-
Mine arrived last week, has yours not? I'm fibbing. 7th May was the date mine arrived last year.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
Huh, I wonder why it takes so long.
-
Huh, I wonder why it takes so long.
Hamsters have problems gripping those fancy writing pens. Calligraphy! That's the word I was looking for. Calligraphy pens.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
-
IMO it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters. So, it's everyone's fault. Given the description of the hacked sites, I'm guessing this is the exploitation of a an open source or cheap product they all used in common, assuming that SQL injection would have been accounted for. It could even be an inside job from the developers of the common software.
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" — Hunter S. Thompson
wizardzz wrote:
it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters.
Neither helps with SQL injections. The only cure is using parameterized queries[^].
-
wizardzz wrote:
it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters.
Neither helps with SQL injections. The only cure is using parameterized queries[^].
quotename()[^] might help too in some cases (I think) :D
It's an OO world.
-
Isn't that more the responsibility of a programmer than a systems administrator? I suppose a properly secured database helps (i.e., you can disallow arbitrary SQL code and only allow stored procedures to execute), but the main step is to not use code that allows for SQL injection.
AspDotNetDev wrote:
but the main step is to not use code that allows for SQL injection.
A proper use of security would help as well. It's one thing to allow a user to type or inject "delete ...", it's quite another to actually authorise a user to do that. :)
Chris Meech I am Canadian. [heard in a local bar] In theory there is no difference between theory and practice. In practice there is. [Yogi Berra] posting about Crystal Reports here is like discussing gay marriage on a catholic church’s website.[Nishant Sivakumar]
-
wizardzz wrote:
it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters.
Neither helps with SQL injections. The only cure is using parameterized queries[^].
Parameterized queries work by sanitizing the inputs. They just do it for you.
-
wizardzz wrote:
it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters.
Neither helps with SQL injections. The only cure is using parameterized queries[^].
Not sure what you mean here? How does sanitizing input not help with SQL injection? The article you referenced actually just said that. Also, how is parameterized queries exclusive of SP's?
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" — Hunter S. Thompson
-
Parameterized queries work by sanitizing the inputs. They just do it for you.
Thanks Asp, I was wondering what the poster was talking about. None of the techniques I mentioned are mutually exclusive of parameterized queries, however, if either person in the roles I mentioned had done their part, it would help.
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" — Hunter S. Thompson
-
wizardzz wrote:
it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters.
Neither helps with SQL injections. The only cure is using parameterized queries[^].
Also, the advantage of allowing only SP's to execute (using database permissions) is that SQL injection cannot then execute arbitrary code. It can only execute SP's that the user in the connection string has been given access to. This can be used as a backup in the case that the programmer does not use parameterized queries.
-
Yup. In the sense that I was head of the dept that employed them and conducted the interviews. LAN only stuff back then though. From the comments it would seem that things have changed more than a little since then.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
That makes more sense. Typically the SA's I've worked with are deployment monkeys that just keep the OS running.
Curvature of the Mind now with 3D
-
AspDotNetDev wrote:
but the main step is to not use code that allows for SQL injection.
A proper use of security would help as well. It's one thing to allow a user to type or inject "delete ...", it's quite another to actually authorise a user to do that. :)
Chris Meech I am Canadian. [heard in a local bar] In theory there is no difference between theory and practice. In practice there is. [Yogi Berra] posting about Crystal Reports here is like discussing gay marriage on a catholic church’s website.[Nishant Sivakumar]
Indeed, it would help, but still doesn't prevent all forms of mischief. If you have an SP that deletes records of a particular type, then that may allow a user to cause some damage. The main form of defense is the code (parameterized queries).
-
According to this report[^]. It is difficult to believe that Systems Administrators are unaware of this exploit and yet numerous sites are still vulnerable.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
from the article:
Generally, the sites being hit are small businesses, community groups, sports teams and many other mid-tier organisations.
A lot of these would be single devs, possibly juniors getting experience. If I saw this from a senior dev, whoosh out the door. SQL Injection is sooo easy to stop it is ridiculous that it is still a threat.
Never underestimate the power of human stupidity RAH
-
Henry Minute wrote:
It is difficult to believe that Systems Administrators are unaware of this exploit
You don't spend enough time in Q&A: nobody seems to be taught about it, even in passing... :sigh:
Real men don't use instructions. They are only the manufacturers opinion on how to put the thing together. Manfred R. Bihy: "Looks as if OP is learning resistant."
I will say, the one SQL class I took to get my recent associates degree, never mentioned anything remotely close to this. It was all about how to build a table, keys etc.. without ever ONCE mentioning anything about "maybe this is not good practice" or the fact that if something is poorly constructed, it is simple to "hack" with injections. Neither did anything in ANY of my programming classes. I've learned more about security on CP than was ever even mentioned in my school.
Programming is a race between programmers trying to build bigger and better idiot proof programs, and the universe trying to build bigger and better idiots, so far... the universe is winning.
-
from the article:
Generally, the sites being hit are small businesses, community groups, sports teams and many other mid-tier organisations.
A lot of these would be single devs, possibly juniors getting experience. If I saw this from a senior dev, whoosh out the door. SQL Injection is sooo easy to stop it is ridiculous that it is still a threat.
Never underestimate the power of human stupidity RAH
Mycroft Holmes wrote:
A lot of these would be single devs, possibly juniors getting experience.
Good point.
Mycroft Holmes wrote:
SQL Injection is sooo easy to stop it is ridiculous that it is still a threat.
Quite agree.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
-
OriginalGriff wrote:
It was in with your Certificate
Speaking of, did you get yours yet?
No, but I assume that the Hamsters are swimming across the Atlantic with it gripped in their teeth - that's got to take a while...
Real men don't use instructions. They are only the manufacturers opinion on how to put the thing together. Manfred R. Bihy: "Looks as if OP is learning resistant."
-
I will say, the one SQL class I took to get my recent associates degree, never mentioned anything remotely close to this. It was all about how to build a table, keys etc.. without ever ONCE mentioning anything about "maybe this is not good practice" or the fact that if something is poorly constructed, it is simple to "hack" with injections. Neither did anything in ANY of my programming classes. I've learned more about security on CP than was ever even mentioned in my school.
Programming is a race between programmers trying to build bigger and better idiot proof programs, and the universe trying to build bigger and better idiots, so far... the universe is winning.
Damn. I hate it when I am right! :-D
Real men don't use instructions. They are only the manufacturers opinion on how to put the thing together. Manfred R. Bihy: "Looks as if OP is learning resistant."
-
Isn't that more the responsibility of a programmer than a systems administrator? I suppose a properly secured database helps (i.e., you can disallow arbitrary SQL code and only allow stored procedures to execute), but the main step is to not use code that allows for SQL injection.
I agree. Anecdotally, most SysAdmins I know are well aware of this attack vector, but many developers I know still do string sanitation instead of parameterization. This is squarely in developer and QA's corners. DBAs are only involved if they are part of the code auditing process (MANY times, they are not). SysAdmins would rarely ever be involved except when they set up IPS rules because their developer colleagues can't write secure code.
