Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Prevalent Are SQL Injection Vulnerabilities?

Posted by ryuzaki0 on from the more-than-you-think dept.

Krishna Dagli writes to tell us of an investigation, by Michael Sutton, attempting to get an estimate of how widespread SQL-injection vulnerabilities are among Web sites. Sutton made clever use of the Google API to turn up candidate vulnerable sites. You might quibble with his methodology (some posters on the blog site do), but he found that around 11% of sites are potentially vulnerable to SQL injection attacks. He believes the causes for this somewhat alarming situation include development texts that teach programmers insecure SQL syntax, and point-and-click tools that allow the untrained to put up database-backed sites.

4 of 245 comments (clear)

  1. Re:Unfortunately: Not Surpirsing by CastrTroy · · Score: 4, Informative

    How does not using GET stop anything, you can POST anything you want to a webserver just like you can GET anything you want from a webserver. Only using POST will make things a little harder, but it doesn't stop anything.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  2. Re:The "Oh-Sh*t" face... by jrockway · · Score: 3, Informative

    > Writing secure software is never easy.

    It's easy if you use good tools. PHP is not a good tool. Rather than hacks like mysql_replace_the_string_with_things_that_wont_com primise_my_database(), you should be using tools that make it impossible to inject SQL.

    Some ideas:

    Perl's DBI, whose docs tell you to ALWAYS write SQL like:

    $sth = $dbh->preprare('SELECT foo,bar FROM baz WHERE something=? AND another = ?')
    $sth->execute(q{''Some\ things"'}, 10);

    Notice that the programmer can't forget to escape the SQL -- because there's no escaping.

    Even better is something like DBIx::Class, which lets you write

    $resultset = $table->search({something => q{''Some\ things"'}, another => 10});

    Again, no opportunity for the programmer to fuck up the SQL in any way. It's just like getting data out of the hash... DBIx::Class will generate the SQL (for any backend), run the query, stream in the results as needed, etc. It's easier and it's better!

    Ruby on Rail's ActiveRecord is similar, but it's impossible to do certain types of joins. DBIx::Class is better in this regard. (And Perl is faster than Rails, and Catalyst is more complete rhan Rails :)... but both Ruby and Perl are MUCH better choices than PHP.

    PHP makes it easy to write insecure code. Perl makes it hard! (With taint mode, a selection of ORMs, 10000+ well-tested modules, and nicities like Moose, Moose::Autobox, etc.)

    --
    My other car is first.
  3. Re:Return of the Flat File by MagicM · · Score: 4, Informative

    That, and/or bind, bind, bind. Concatenating user input into your SQL statements is bad on both security and performance.

  4. Re:Unfortunately: Not Surpirsing by ehud42 · · Score: 3, Informative


    "SELECT `userID`,`user`, `password` FROM `table` WHERE `user` = 'trim($_POST['user'])'"

    Ack! Nice demonstration of the code that is vulnerable to attacks!

    My user id is '; drop database; --

    --
    I'm in my right mind and I have the answer to everything!