How Prevalent Are SQL Injection Vulnerabilities?

Posted by ryuzaki0 on Thursday October 5, 2006 @04:33AM from the more-than-you-think dept.

Krishna Dagli writes to tell us of an investigation, by Michael Sutton, attempting to get an estimate of how widespread SQL-injection vulnerabilities are among Web sites. Sutton made clever use of the Google API to turn up candidate vulnerable sites. You might quibble with his methodology (some posters on the blog site do), but he found that around 11% of sites are potentially vulnerable to SQL injection attacks. He believes the causes for this somewhat alarming situation include development texts that teach programmers insecure SQL syntax, and point-and-click tools that allow the untrained to put up database-backed sites.

2 of 245 comments (clear)

Min score:

Reason:

Sort:

Re:Unfortunately: Not Surpirsing by CastrTroy · 2006-10-05 04:48 · Score: 4, Informative

How does not using GET stop anything, you can POST anything you want to a webserver just like you can GET anything you want from a webserver. Only using POST will make things a little harder, but it doesn't stop anything.

--

Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Re:Return of the Flat File by MagicM · 2006-10-05 05:31 · Score: 4, Informative

That, and/or bind, bind, bind. Concatenating user input into your SQL statements is bad on both security and performance.