Slashdot Mirror

← Back to Stories (view on slashdot.org)

SQL Injection Turns BusinessWeek Into Viral Replicator

Posted by CmdrTaco on from the glad-it's-not-us dept.

martins writes "The website of popular magazine BusinessWeek has been attacked via SQL injection in an attempt to infect its readership with malware. Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected."

7 of 116 comments (clear)

  1. Re:ATTENTION WEB DEVELOPERS by apathy+maybe · · Score: 4, Informative

    This is a very good point. Except that phpMyAdmin makes it really easy to set up a new database with a single user who has all rights, and the same name as the DB.

    So what I tend to do (and I do admit that I am a lazy SOB), is just create a new DB and user for every app.

    However, your idea is much better, and it would be nice if phpMyAdmin had such a feature... (Not that I'm about to code it in, on account of my being busy with other things, and never having even looked at the phpMyAdmin code beyond what is needed to install it.)

    However, an even better thing to do (then just create a read-only user), is to escape shit before you query the DB... PHP and MySQL have this nifty function mysql_real_escape_string which will do that for you. It is better then using the general escape functions in PHP, for reasons that I read just recently. Basically, it takes into account the character encoding for the DB... http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

    --
    I wank in the shower.
  2. Re:Bobby Tables is at it again (obligatory link) by CaraCalla · · Score: 5, Informative

    http://xkcd.com/327/

  3. Nit pick time. by BitterOldGUy · · Score: 5, Informative

    Many of them while good at what they do, wants to further their career so go for an MBA so they be considered qualified for promotion.

    To nitpick:

    That depends on your company and their policies. Therefore ask HR. I did once to see what they'd do for me. The answer was that I'd get a $3,000 raise for having a graduate degree. I asked for clarification regarding why she put that way; "You mean, I would get the raise regardless of what masters degree I received?"

    "Yes. Of course your manager has to approve it."

    Another thing to clarify, and I've found this out the hard expensive way: getting an MBA does NOT automatically give you a ticket into management. Here's what I was told by several folks: You need management experience for an MBA to mean something. Without the experience, the MBA is worthless. So now, I'm a coder with an MBA - it's not doing me any good. And like a stupid SOB, I paid for it with student loans. I did it when I was out of work thinking that it would get me a management job. Schools are so quick to tell you that their MBA will further your career. BS! Experience matters more than the degree - and networking (i.e. It's who you know.)

    So here's what I would do differently, get into management, see if my company requires an MBA for my position, get them to pay for it, bust my ass in night school, some profit! But if they don't require it, I don't see the point in getting one.

    And there's going to be a HUGE glut of MBAs. With this down economy, MBA enrollments have gone through the roof. Which means, in two years, the already huge glut of MBAs is going to get bigger.

  4. Re:ATTENTION WEB DEVELOPERS by morgan_greywolf · · Score: 2, Informative

    However, your idea is much better, and it would be nice if phpMyAdmin had such a feature

    Um, it does. Click on 'Privileges' and then 'Add a new user'. You're looking for 'database-specific priveleges.'

    --
    My blog
  5. Re:MBA students, appropriate. by David+Gerard · · Score: 5, Informative

    Depends. Alan Cox is a top-class programmer who got an MBA because there was this whole other world that intersected with what he did that he didn't understand.

    --
    http://rocknerd.co.uk
  6. Re:ATTENTION WEB DEVELOPERS by Shados · · Score: 2, Informative

    VBA can have paramterized query. The old ADO supports them just fine...

  7. Re:Malic or incompetence? by El_Oscuro · · Score: 2, Informative

    In one important way, she is right:

    SQL Server allows multiple commands to be parsed and executed on a single call, separated by a semicolon. Thus something like Robert''; drop table students; -- works

    Oracle (while it has plenty of security vulnerabilities of its own), only allows one command to be executed. So if it is a query, a query is all you can do. True, if the developer is really stupid, you can do things like query DBA_USERS, but you are not going to be able to insert virus code or drop tables.

    If I were Microsoft, the next release of SQL Server would have a parameter (turned on by default) which disabled multiple command parsing.

    --
    "Be grateful for what you have. You may never know when you may lose it."