Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Prevalent Are SQL Injection Vulnerabilities?

Posted by ryuzaki0 on from the more-than-you-think dept.

Krishna Dagli writes to tell us of an investigation, by Michael Sutton, attempting to get an estimate of how widespread SQL-injection vulnerabilities are among Web sites. Sutton made clever use of the Google API to turn up candidate vulnerable sites. You might quibble with his methodology (some posters on the blog site do), but he found that around 11% of sites are potentially vulnerable to SQL injection attacks. He believes the causes for this somewhat alarming situation include development texts that teach programmers insecure SQL syntax, and point-and-click tools that allow the untrained to put up database-backed sites.

18 of 245 comments (clear)

  1. The abuse of SQL injection by Reality+Master+201 · · Score: 5, Funny

    destroys thousands of lives a year. Sure, it starts small - a SELECT there, a few INSERTS on the weekend. Eventually, though, you're using stored procedures and trying to score triggers in the middle of the night.

    Just say no, kids.

    1. Re:The abuse of SQL injection by Reality+Master+201 · · Score: 4, Insightful

      Yeah, but most people are still stupid and humorless. So, in the end, I come out ahead.

  2. Unfortunately: Not Surpirsing by charleste · · Score: 4, Insightful

    This is a possibility that was obvious back when I was developing web applications as far back as 1996 using CGI. The approach in TFA was a similar approach we used "back when" to demonstrate the need for (a) not using GET, (b) turning off verbose error reporting, (c) controlling *how* queries were made (e.g. architecture of the app and DB I/O), and (d) storing sensitive data encrypted. The sad part is that it is *still* a problem. I guess it underscores the need for a decent architect as opposed to letting whiz-bang do-it-yourselfers start coding without design, and the need for security analysis, et. Al. Just my 2 cents.

    1. Re:Unfortunately: Not Surpirsing by CastrTroy · · Score: 4, Informative

      How does not using GET stop anything, you can POST anything you want to a webserver just like you can GET anything you want from a webserver. Only using POST will make things a little harder, but it doesn't stop anything.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Unfortunately: Not Surpirsing by ehud42 · · Score: 3, Informative


      "SELECT `userID`,`user`, `password` FROM `table` WHERE `user` = 'trim($_POST['user'])'"

      Ack! Nice demonstration of the code that is vulnerable to attacks!

      My user id is '; drop database; --

      --
      I'm in my right mind and I have the answer to everything!
    3. Re:Unfortunately: Not Surpirsing by Ford+Prefect · · Score: 3, Insightful

      IMHO, any web application should be written to accept both GET and POST.

      No. Web applications should use GET and POST where appropriate - GET for idempotent requests (showing database records, search results, those kind of recurring, non-database-changing things) while POST should be used for things which actually change data, user state, and so on.

      Using GET in the wrong places can lead to all kinds of irritations and miniature security problems. Imagine sending an email to your web application administrator containing something like the following: <img src="http://example.com/webapp/user_admin?action=e dituser&username=me&accesslevel=administrator" width="0" height="0">...

      Many web applications do get the two horrendously mixed up (I've seen search results done via POST, which is subtly, incredibly annoying) but they're definitely not interchangeable.

      For simply displaying a non-password-protected package shipment page, GET would probably be the best solution. But blindly accepting both isn't a good alternative.

      --
      Tedious Bloggy Stuff - hooray?
  3. Simple solution by CastrTroy · · Score: 5, Insightful

    The simple solution is to use parameterized queries. I don't know why more books don't know why more books don't push this methodology, as it makes you program faster, easier to read, and also makes you invulnerable to SQL injection attacks.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  4. Re:Return of the Flat File by ip_vjl · · Score: 3, Insightful

    Won't work. The same 'novices' who leave gaping SQL injection holes will now be writing pages that need to access the file system. Now instead of accessing the DB, script kiddies will be traversing the filesystem. Yes, this can be mitigated through file permissions, but there are a lot of servers out there (set up by these same novices) where processes run as root and would have full access to read and write files. So, a bad script could allow them to write to /etc/passwd and have all sorts of fun.

  5. Re:Return of the Flat File by RingDev · · Score: 3, Insightful

    Why convert to an entirely different structure when just implimenting proper code standards will suffice? Using parameterized stored procedure calls instead of dynamic SQL will not only protect you from the vast majority of SQL Injection attacks, but will also improve the performance of your web page.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  6. Re:Sure, blame the "untrained" developers.... by tuffy · · Score: 3, Insightful

    In short, trusting the client (i.e. the web browser) to not send bad values - either through the INPUT tag's maxlength attribute, JavaScript scrubbing or whatever - is entirely the wrong way to go. The web script must check all user input for validity along with properly escaping everything from the database that's getting sent back via HTML.

    --

    Ita erat quando hic adveni.

  7. Some kind of software checklist by Realistic_Dragon · · Score: 4, Funny

    There should be some kind of government run website somewhere.

    You would answer questions and it would give you license keys to software that you were qualified to use. For example, I might tick:

    Engineer (check)
    Artist ( )
    Manager (check)
    Linux (Check)
    Mac ( )
    Windows ( )

    And it would issue keys for website point and click installation software, Vi, apache and Latex - but deny me keys to powerpoint thereby saving the lives of people who might otherwise have to gnaw off their own leg to survive my 8 hour presentation on optimising synergisyms in a web 3.0 environment by sub molecular interactions.

    --
    Beep beep.
  8. testing methods by Akatosh · · Score: 4, Insightful

    This 11% was determine by a weak testing mechanism. For every site that baltently spews sql errors to the user there are two that silently return a generic sanitized error, and another two that return no error at all. It would produce more results if you take it a step further and ask yes no questions, such as:

    ?id=99999' OR '10

    and see if the page returns the results of id=10 as expected. It's also common for people to use weak regexp (regexp should NEVER be used to protect against sql injection, see mysql_real_escape_string) and miss some characters:

    ?id=99999)

    or fail to sanitize non us language encoding. Also, get variables are often the most protected. It is much more common to find sql injection in <input type=hidden variables, or in cookie data. The number 11% is extremely low. I'd guess more like 80%.

  9. Massively widespread problem by shawnmchorse · · Score: 3, Insightful

    If anything, I'd question how FEW sites they claim are vulnerable to SQL injection. It's an insidious problem that just creeps up on you anytime you don't think about it sufficiently (as when writing something quickly, on a deadline... not that this ever happens!). I know that at my workplace we fell victim at one point to a SQL injection attack on one of our (many) custom PHP scripts. We eventually found out how it worked through the web logs and were able to fix it, but honestly even after we did our best to clean things up... I'm dead certain that there are still probably hundreds of places that we're still vulnerable. This is due to a number things including the sheer volume of PHP code in use, the fact that the code has been written at various points in time over a period of six years or so, and the fact that this code has been written by at least twenty different people. It's like trying to plug holes in a dam.

  10. Re:The "Oh-Sh*t" face... by valloned · · Score: 4, Insightful

    Microsoft VB.NET and ASP.NET texts are AWFUL in this regard. Nearly all examples use in-line SQL queries rather than paramaterized stored procedures. Why? Probably because they are trying to fit in with Microsoft's strategy that devoping applications should require absolutely no knowledge of code (or anything else for that matter). The big selling point for their VS 2005 suite is "no code required". That speaks volume.

  11. Re:The "Oh-Sh*t" face... by jrockway · · Score: 3, Informative

    > Writing secure software is never easy.

    It's easy if you use good tools. PHP is not a good tool. Rather than hacks like mysql_replace_the_string_with_things_that_wont_com primise_my_database(), you should be using tools that make it impossible to inject SQL.

    Some ideas:

    Perl's DBI, whose docs tell you to ALWAYS write SQL like:

    $sth = $dbh->preprare('SELECT foo,bar FROM baz WHERE something=? AND another = ?')
    $sth->execute(q{''Some\ things"'}, 10);

    Notice that the programmer can't forget to escape the SQL -- because there's no escaping.

    Even better is something like DBIx::Class, which lets you write

    $resultset = $table->search({something => q{''Some\ things"'}, another => 10});

    Again, no opportunity for the programmer to fuck up the SQL in any way. It's just like getting data out of the hash... DBIx::Class will generate the SQL (for any backend), run the query, stream in the results as needed, etc. It's easier and it's better!

    Ruby on Rail's ActiveRecord is similar, but it's impossible to do certain types of joins. DBIx::Class is better in this regard. (And Perl is faster than Rails, and Catalyst is more complete rhan Rails :)... but both Ruby and Perl are MUCH better choices than PHP.

    PHP makes it easy to write insecure code. Perl makes it hard! (With taint mode, a selection of ORMs, 10000+ well-tested modules, and nicities like Moose, Moose::Autobox, etc.)

    --
    My other car is first.
  12. Re:The "Oh-Sh*t" face... by Nos. · · Score: 3, Insightful

    Or use the appropriate PEAR classes with php, like MDB2, which documents how to do prepare/executes. Don't suggest that PHP is worse than PERL because PERL has DBI, PHP has addons as well.

  13. Re:Return of the Flat File by MagicM · · Score: 4, Informative

    That, and/or bind, bind, bind. Concatenating user input into your SQL statements is bad on both security and performance.

  14. You don't need to bother with SQL Injection by thewils · · Score: 4, Interesting

    If you search for "mdb" you can download the entire database without too much trouble.

    I recently came across a commercial site where you could substitute, for instance, "(select first_name from users where id=1)" into the page url and a nice error screen came up telling you that it couldn't convert "George" into an Integer.

    It's not the SQL Injection per se that is the biggest problem, but the nice error messages you get back giving you, more or less, a SQL command line interface. Errors should be detected and redirected to a sanitized page, or if you can't be bothered, an unceremonious crash.

    I notified the owners of that site by the way.

    --
    Once I was a four stone apology. Now I am two separate gorillas.