SQL Injection Turns BusinessWeek Into Viral Replicator

martins writes "The website of popular magazine BusinessWeek has been attacked via SQL injection in an attempt to infect its readership with malware. Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected."

Malic or incompetence?

[Scutter]

Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers' scripts are still present and active on their site.

It's bad enough to have an insecure site, but to ignore the break-in for a week or more is just unconscionable.

Re:Malic or incompetence?

[JCSoRocks]

I never understood how SQL injection happened on major sites until it happened to someone I know. (wow that sounded like a bad plug for some unknown disease... anyway...) Initially he absolutely refused to believe that it was SQL injection because, "His application wasn't vulnerable to that!". Finally, in the face of overwhelming truth it dawned on him that it was... so what happened? Oh, the database got cleaned up from a back up... but no code was changed. Then they did it again a short while later and he caught a clue and fixed it up. So, sadly... I've seen people do the same thing - it happens.

Re:Malic or incompetence?

[Splab]

Actually I've been wondering about these injection attacks, I use positional bindings, everything run from stored procedures and using dedicated users - not super users; so its pretty much impossible to inject anything harmful to my system via. SQL - however, that does not guarantee anything for the users.

Are these attacks the old type with ;-- (escaping the query) or are they just code embedded through postings, i.g. forums/discussions from poorly escaped input / code injection through get requests?

Re:Malic or incompetence?

[b4dc0d3r]

It's a site for MBAs - they were waiting for the "technical guys" to fix it. First techie to raise the issue gets fired as a scapegoat, second one has to fix it.

Re:Malic or incompetence?

[ednopantz]

They just don't teach anything about security in schools. We interviewed an intern candidate this spring and asked her how one would avoid a SQL injection attack.

Her response: "Don't use Microsoft products."

Swing and a miss!

The candidate's sample code had a big 'ol SQL injection vulnerability. Yet the instructor raved over his project.

Re:Malic or incompetence?

[xenocide2]

Teaching security is hard. In a more ideal world, your students adore math and critical thinking, and would love to sign up for a course on cryptography and computer security with all those pre-requisites. And TAs would grade programs with an eye to all forms of flaws, be it database normalization, documentation or injection.

The depressing reality is that students don't have any passion if it isn't related to video games, and teaching "intro to databases" is about the least impressive role I know of in CS, short of perhaps the "cs 101: microsoft office" courses that CS departments get pressed into offering.

Re:Malic or incompetence?

[galego]

Instructors live in ivory towers ... sql injections can't climb up ivory yet, no? :p

Re:Malic or incompetence?

[El_Oscuro]

In one important way, she is right:

SQL Server allows multiple commands to be parsed and executed on a single call, separated by a semicolon. Thus something like Robert''; drop table students; -- works

Oracle (while it has plenty of security vulnerabilities of its own), only allows one command to be executed. So if it is a query, a query is all you can do. True, if the developer is really stupid, you can do things like query DBA_USERS, but you are not going to be able to insert virus code or drop tables.

If I were Microsoft, the next release of SQL Server would have a parameter (turned on by default) which disabled multiple command parsing.

Re:Malic or incompetence?

[Mike89]

They just don't teach anything about security in schools. We interviewed an intern candidate this spring and asked her how one would avoid a SQL injection attack.

This. I'm doing a Computer Science degree in Australia and we're learning how to check user input... via JavaScript. No mention of validation on the server-side. No SQL injection prevention. It's a joke.

Re:Malic or incompetence?

[ednopantz]

Wow. Sort of right by accident I guess. I was still hoping to get "parametrize your queries."

Re:Malic or incompetence?

[donscarletti]

This. I'm doing a Computer Science degree in Australia and we're learning how to check user input... via JavaScript. No mention of validation on the server-side. No SQL injection prevention. It's a joke.

If you attend the University of New South Wales, enroll in "Cryptography and Security" with Richard Buckland, if you do not attend the University of New South Wales, enroll there and see point one. This class teaches you systematic thinking about security vulnerabilities, going beyond secure software. It teaches you how to protect your code against many exploit techniques by practical experience exploiting sample code. It teaches encryption algorithms, designing secure protocols etc.

It also it taught by one of the most charismatic pedagogues ever born who pushes those with a desire to understand computing to levels beyond what fear of failing a course could ever do. Look up Richard Buckland on youtube if you don't believe me.

Re:Malic or incompetence?

[Mike89]

I believe you ;). I have a job interview coming up for a good traineeship, so hopefully I get that and I can defer. Thanks for the tip though :)

Hmm

[LizardKing]

It really is fscked. Every job advert is for Lehmans.

Re:Hmm

[$RANDOMLUSER]

Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected."

So no great loss to society then.

Re:Hmm

[Macfox]

What no bail out? Can't we just print more money?

Re:Hmm

Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers

Karma, sweet karma.

Re:Hmm

[Vastad]

"When life gives you Lehmans, go make Lehmanade."

/me frantically ducks explosive tomatoes

MBA students, appropriate.

[retchdog]

Ha. MBA students themselves are a virus. Also technically incompetent. The black hats picked a poetic and practically high-value group to infect.

Re:MBA students, appropriate.

[jellomizer]

You haven't seen the modern MBA have you. Almost half of the MBA students have Computer Science Degrees and have been working professional for at least 5 years. Many of them while good at what they do, wants to further their career so go for an MBA so they be considered qualified for promotion. Not every one wants to be a basic programmer for the rest of their life, they much rather have influence in the process and the design and less time doing the drudge work.

Re:MBA students, appropriate.

[nomadic]

Hmmm sounds like someone's an MBA student. Or graduate.

Business school is a two-year-long cocktail party. Which isn't necessarily a bad thing I guess.

Re:MBA students, appropriate.

[SQLGuru]

Many of them while good at what they do

Not every one wants to be a basic programmer for the rest of their life

Pretty much all of the *GOOD* programmers *DO* want to program for the rest of their lives (while I wouldn't say "basic programmer"....most want to be Dev Lead / Architect type of coders, but coders none the less). And being Dev Lead / Architect is not the type of position that goes to the MBA grads.....MBAs are for people who want to go into Management / Project Management.

I've been in the industry since 1994 and am one of the top database developers in my company. And I don't see myself as being a manager any time soon. I enjoy programming too much. [This is in a large corporation where a manager is not a technical manager; small companies where "Dev Lead" equates to manager might be a different situation.]

Layne

Re:MBA students, appropriate.

> You haven't seen the modern MBA have you.

The last time I did, I was surprised to discover that he didn't grasp even the *concepts* of basic calculus.

Re:MBA students, appropriate.

[retchdog]

I've seen several of the "modern MBA", at one of the top business schools in the US. They are money-hungry jerks running up a huge debt to develop no skills beside socializing; cheating on their exams; and shameless posturing. Then they're going to make a (very comfortable) living doing the same thing. There's nothing wrong with this sort of socializing, except that it's a little bit dishonest to create a privileged class of "pure businessman" who don't develop their connections and camaraderie through actual craft and discipline.

It's all well and good. What does an MBA need technical skills for anyway? They'll just hire a technician to do it for them at a pittance, have the patent signed over, and coast along on easy street. The Steve Jobs-model.

Rant done.

Re:MBA students, appropriate.

[retchdog]

No, I just have to spend time around them occasionally since my field happens to be very useful in finance and business. You can tell, because when you enter the business-popular classes (time series; baby stochastic analysis; &c.) the first thing that hits you is a wave of cheap cologne covering the stench of desperation.

Re:MBA students, appropriate.

[jellomizer]

To be a good Architect you often need a strong business knowledge. Yea Yea You know how to program you so smart (being that I learned to program at 6 years old) it doesn't take a genius to program. But in reality being able to be a good programmer doesn't mean you can design or create solutions that solve real business problems. I have been in the industry for a long time too. Working as a consulting I was actually the top database developer for multiple companies, including many fortune 500 companies. However I found that creating the code is a piece of cake, however the hard part is trying to understand the business process, then filtering out what is needed and not for the code to run successfully without having to run extra work, as well understand what is happening so in a case the software fails (or hardware) you can come up with a quick workaround solution for the employees until you can get a working version. Business knowledge is a key area. If you are working in a business environment getting Masters in computer science wouldn't be as useful as getting an MBA.

Re:MBA students, appropriate.

sometimes they do an MBA in anticipation of starting their own company, sometimes to get more credibility as a senior engineer. not many good programmers give up programming voluntarily to become management fodder.

Re:MBA students, appropriate.

[David+Gerard]

Depends. Alan Cox is a top-class programmer who got an MBA because there was this whole other world that intersected with what he did that he didn't understand.

Re:MBA students, appropriate.

Actually I experience the Modern MBA a lot. their CS experience is out of date. Their Business ideas are insane. and Having a MBA makes them pompous and jerkish. Yes mister degreed manager, you are a stupid idiot and I am better at server config than you are, get the FUCK out of my server room before I tire you up with some spare cat5 jumpers I have here. Go check your paragon with the holistic design of the progress MMMkay?

Re:MBA students, appropriate.

[PunkOfLinux]

Just a quick question: why, exactly, do MBAs need to know calculus?

Please, I'm not following.

Re:MBA students, appropriate.

[shurikt]

It's central to the understanding of the basic theories that drive economics.

Re:MBA students, appropriate.

[oh_bugger]

I've had knowledge of the business process since I was 4 and said knowledge has expanded massively over the years. I was programming using assembly language before I started school. I have created many well known software titles from nothing and many companies rely on these titles. I've cracked any encryption thrown at me and managed to recover files from a hard drive that had been zeroed out. I'm worth 124 billion dollars and Presidents have asked me for advice on many occasions (unfortunately not recently). I am capable of stopping time with my mind and I can fly. I have saved children from burning buildings and put wanted criminals into the buildings. I retired aged 12 but the whole world begged me to come out retirement as when my influence disappeared there economy started to tumble. I have been banned from the Olympic Games because I consistently would win every medal and spoil it for everyone else. There is a contract out on my life because I have invented a type of vehicle which actually reduces the carbon in the air and runs on love. The HLC actually malfunctioned the other day but I stopped the black hole from expanding with my bare hands. God once made a mistake and destroyed the world. He asked for my help in recreating the Earth and I did it in 20 minutes, not 6 days like him.

Re:MBA students, appropriate.

[SQLGuru]

You sound like "The Most Interesting Man in the World": http://www.brentter.com/dos-equis-most-interesting-man/

Do you drink Dos Equis???

Layne

Re:MBA students, appropriate.

[Registered+Coward+v2]

Just a quick question: why, exactly, do MBAs need to know calculus?

Please, I'm not following.

Uh, why do you think the are called financial derivatives?

Re:MBA students, appropriate.

[PunkOfLinux]

Um... I'm in an economics class now, and last semester, and we never discussed this stuff. Maybe it's only a formulas involved that require calc?

Re:MBA students, appropriate.

[jellomizer]

Most MBA don't come out the Top business schools, and there are more students where were not Full Time MBA's, They actually work for a living first and seen stupid PHB first hand. And are taking night classes to get their MBA. A lot of them are planning to go into Not For Profit work, others just so they can be an upper mid manager. If they are lucky to reach a High 5 figure to low 6 figure salary, where they can live their lives well and still see their family. Most MBA are average people who want to make sure they don't have caps on their lives. I am a programmer and will always be on. But I have options to expand beyond my cube.

Re:MBA students, appropriate.

[MxTxL]

It's not as central as it was made out to be, but one area where calculus shows up in economics is in calculating the area under a curve. So when your supply or demand curves are, you know, curvy (as opposed to straight lines) it is easy to calculate the area under them using integration.

Re:MBA students, appropriate.

[Free+the+Cowards]

I'd be really curious to know what he thought of it afterwards, and whether having an MBA really helped him understand this other world. I get the distinct impression that an MBA is the business-world equivalent of an MSCE: it gives you some basic knowledge and impresses the clueless but isn't really very useful.

Re:MBA students, appropriate.

[Free+the+Cowards]

And of course I belie my own cluelessness: I meant an MCSE, not an "MSCE", whatever that would be.

Re:MBA students, appropriate.

[jellomizer]

I think you think they are pompous and jerkish because you approach them as pompous and jerkish. Most likely the guy is trying to understand your process for your job and perhaps find a simpler solution to them. There are many Bad Techs out there who think they are IT gods, and get pissed off when someone gives them a better idea that forces them to do things differently, even if it is better. If you are being a jerk to a person they will be a jerk back at you, especially if they authority over you. It seems your method doesn't really work to well, as the manager feels there is a problem that needs to be resolved. Hoping that it is easier for him to figure out what is going wrong and create a policy which will solve the problem is easier then firing you and getting someone else.
There are elements of running a successful business which conflicts with CS. The CS mindset it make it Run as fast as possible. business mindset is to make it run fast enough, with as little expensive human interaction as possible. It may not be that their CS experience is out of date (as it really doesn't go out of date that fast), but your business knowlege is severally lacking.

Re:MBA students, appropriate.

I've just started an MBA (first class was two days ago). Computer Science (and 5 years minimum of real-world experience) is the most prevalent undergrad degree in my class.

Engineering is the second most common, followed by pure mathematics. Only around 10% of the students seem to have a business-related undergrad degree.

I, and most of the other CS people, plan on staying in tech. For my own part, I want to have the ability to really understand the business problems I am faced with at a fundamental level. I think too often we have technical people making decisions about which features should go into a product when really, we need to have some business experience as well to make truly informed choices.

Re:MBA students, appropriate.

[LordSnooty]

They don't, they just use Excel.

Re:MBA students, appropriate.

umm..15 years in the same position and you're just 'one of' the top programmers? Not advancing in the company may not have been entirely your choice.

D

Re:MBA students, appropriate.

[mrdoogee]

My friend is an MBA grad. He works as a financial analyst for a fairly large company (100K+ in sales/wk). While he certainly can't program or code beyond simple vBasic programs, he certainly knows a lot more about networking and systems than you would expect. IT actually will have him poke around the server room for them(they are in a satellite office without a full time IT guy there). However he may be the exception to the rule. He's a math whiz though and actually was a math major as an undergrad.

Re:MBA students, appropriate.

[broohaha]

Depends on the school and the student.

Half the engineers in my dept of this telecom equipment company I used to work for were getting their MBA's at Northwestern's Kellogg School of Management or at the U of Chicago's Graduate School of Business.

They were all freakin' brilliant, but being a staff engineer wasn't all they wanted to be. They wanted to start their own companies or run one from a very high perch. I kept in touch with a few of them over the years, and sure enough, they all ended up doing those things. I even started a company with one of them.

So, again. It all depends on what you take out of it, as well as where you go and how seriously they treat you. If you walk in thinking it's a piece of cake and nothing more than a piece of paper to wave at people, then it'll be worth far less than others who take it seriously and use what they learned effectively. (Choose the right school, too, of course.)

Re:MBA students, appropriate.

I think too often we have technical people making decisions about which features should go into a product

No. Too often the opposite is true:
"Well, the project was for a database that had an average of 10 accesses per year, and even though we are 2 hours from launch, can't you guys update it to handle 2 million hits per second? Good, because we already promised the client that you could. Get to it."

The reason why the tech guys usually make those decisions is so you end up with a product that is deliverable, or at least falls within the realm of physical possibility.

Re:MBA students, appropriate.

[SQLGuru]

15 years in the industry is not the same as 15 years in the same position.

And since I stated that I work for a large company (I/T is numbered in the thousands), being ONE OF can still be pretty elitest. I would have said "THE BEST" but refrained since my general view on the nature of the posters on /. (at least the quality posters) are that they are my equals. Anonomous Cowards and Frosty Trolls not included.

Layne

Re:MBA students, appropriate.

[EdelFactor19]

no to be a good architect you have to have DOMAIN knowledge, not business knowledge. You don't have to know how to turn a profit or what an ROI is. You have to have technical knowledge of the requirements and the varied means which you could possibly implement a solution with.

the masters in CS probably wouldnt be needed because these "business environments" you speak of never tend to do anything cutting edge in terms of the things that you do in getting a masters in CS; further research into Computer Science, not becoming a better programmer.

and for the love of god stop talking about writing databases like its "coding". A database developer is not a coder or a programmer. Someone who actually writes programs to interact with the database is.

It doesnt take a genious to write a hit song, or invent a brilliant product either, it takes ingenuity and creativity mixed with some experience. But your job isnt to be a "good programmer" its to be a good software engineer.
It doesnt take a genious to write Hello World; but it might take more of genious to realize he doesnt need to write hello world anymore, he can write a program to do it for him.

all in all you sound increasingly full of it.

lol "creating the code is a piece of cake"
sorta like typing a book is a piece of cake too, its figuring out what to right thats the challenge. And god forbid you knew anything about software development you'd be unit testing the software you wrote.

in short, if you want to be software architect knowing something about the field your software is in is just a bit more important than knowing about "business". Knowing the figures and profit margins and the financial business strategy not so important. Understand the technical domain of the software you are developing, how clients would use your software, and experience using and designing software in similar fields (especially using Go4 patterns) far more important.

thanks for demonstrating the pig headed naivety that you can always throw a couple more "business minded managers" at a problem to solve it.

Re:MBA students, appropriate.

[EdelFactor19]

seeing as pretty much all of the financial functions are derived from calculus, you probably want to understand what the heck they mean before you start using them.

ammortization? linear programming? seeing as just about nothing in the real world (especially finance) is as simple as a linear function and you are pretty much always interested in understanding Change, the amount of it, the rate at which its changing.. yeah you probably want to use calculus.

that and the fact that if they know you can do calculus you should be able to invariably crunch whatever numbers they through at you. although I'd think discrete structures could be just as important.

Re:MBA students, appropriate.

Judging by your post, and your posting history I'd wager you have in fact not "been in the industry for a long time" nor have you been "Working as a consulting [sic]" - if I ever encountered a consultant who was unable to use correct spelling, grammar, punctuation and paragraph formatting I doubt he'd survive the first email exchange let alone get any chance to work as a database developer.

Your emphasis on business knowledge, fantasies about Fortune 500 companies and confusion between database design and "coding" smack of a business graduate who used Microsoft Access at one time or another and suddenly decides he's the God of Relational Databases.

Please stop.

Pity on the future MBAs

[rainer_d]

Ah-well, only kidding ;)

That's frightening

[Centurix]

A replicant virus. Is it a virus or a replicant? Will it need retiring? If the website hosted a picture of a turtle on its back, will it rotate the picture 180 degrees? Will we know if it's a replicant virus or a real virus by the end of the article?

ATTENTION WEB DEVELOPERS

HAI!

Just a friendly reminder - your Database Admin will be more than happy to set up multiple users for you with different permissions. For instance, a user with "write" privileges that can be used by the website backend page that the editors use, and a user with "read only" permissions that the public facing web server(s) will use when presenting the page to the public.

That is all.

Re:ATTENTION WEB DEVELOPERS

[apathy+maybe]

This is a very good point. Except that phpMyAdmin makes it really easy to set up a new database with a single user who has all rights, and the same name as the DB.

So what I tend to do (and I do admit that I am a lazy SOB), is just create a new DB and user for every app.

However, your idea is much better, and it would be nice if phpMyAdmin had such a feature... (Not that I'm about to code it in, on account of my being busy with other things, and never having even looked at the phpMyAdmin code beyond what is needed to install it.)

However, an even better thing to do (then just create a read-only user), is to escape shit before you query the DB... PHP and MySQL have this nifty function mysql_real_escape_string which will do that for you. It is better then using the general escape functions in PHP, for reasons that I read just recently. Basically, it takes into account the character encoding for the DB... http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Re:ATTENTION WEB DEVELOPERS

Multiple DB users, proper escaping, you know it's not actually an either-or situation. If the only way you know to set up a database is through phpMyAdmin, then you need help reading the manual.

Re:ATTENTION WEB DEVELOPERS

[morgan_greywolf]

However, your idea is much better, and it would be nice if phpMyAdmin had such a feature

Um, it does. Click on 'Privileges' and then 'Add a new user'. You're looking for 'database-specific priveleges.'

Re:ATTENTION WEB DEVELOPERS

[apathy+maybe]

I know that ;). I was looking for an easy "one click" create two users for one DB, in the same way that you can currently create a user and a DB at one time.

Re:ATTENTION WEB DEVELOPERS

[moreati]

However, an even better thing to do (then just create a read-only user), is to escape shit before you query the DB... PHP and MySQL have this nifty function mysql_real_escape_string [php.net] which will do that for you. It is better then using the general escape functions in PHP, for reasons that I read just recently. Basically, it takes into account the character encoding for the DB... http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Please repeat after me: String escaping is the wrong answer to SQL injection.

Now please move rapidly toward using prepared statements.

Also, setting up a least privilege is still a very good idea. That should be considered as required for any internet facing database.
Alex

Re:ATTENTION WEB DEVELOPERS

[morgan_greywolf]

I know that ;). I was looking for an easy "one click" create two users for one DB, in the same way that you can currently create a user and a DB at one time.

Well, it's not like it's that hard. Honestly, this really sounds like you're just being lazy. ;)

Re:ATTENTION WEB DEVELOPERS

[apathy+maybe]

I did admit that ;).

Re:ATTENTION WEB DEVELOPERS

[Shados]

The string escaping culture is really sticky, too. Its almost like hungarian notation, but worse. People tend to get insulted if you mention that you need to use prepared statements. Then when you explain it, they tend to insist that nothing can get through string escaping, that its perfectly fine, and sometimes they make excuses for it being better.

Then the only way to convince some people is to point out the performance issues (prepared statements result in cached query plans in many RDBMS, giving performance equal to stored procedures), and thats the only way to get through.

Oh well, someday...someday...

Re:ATTENTION WEB DEVELOPERS

[CodeBuster]

However, an even better thing to do (then just create a read-only user), is to escape shit before you query

Or use a parameterized query like select * from users where username = @username INSTEAD OF "select * from users where " + unfiltered_string where the the unfiltered string is taken straight from an input on the public website, spliced into a string literal query, and then passed on to the database. Of course, filtering is still advisable too in any case but really, there is no better way to announce to the world that an operation is amateur night (i.e. we just read "Teach Yourself PHP in 10 Minutes" before throwing together our site) than to fall victim to the classic SQL injection attacks.

Re:ATTENTION WEB DEVELOPERS

[smoker2]

phpMyAdmin already has this feature. Except in shared hosting environments, where each sites admin has permissions to read/write but not create.
If they are in that situation, they can still ask their host to add another user to their dbase with the required permissions.

Re:ATTENTION WEB DEVELOPERS

[GuldKalle]

I'm curious, why is string escaping depreciated? The Wikipedia article doesn't make it clear.

Re:ATTENTION WEB DEVELOPERS

[mortonda]

This is a very good point. Except that phpMyAdmin makes it really easy to set up a new database with a single user who has all rights, and the same name as the DB.

So what I tend to do (and I do admit that I am a lazy SOB), is just create a new DB and user for every app.

However, your idea is much better, and it would be nice if phpMyAdmin had such a feature...

It does! I create the database, then a user(s) with no permissions. Each user can be set down to the dtabase or table level, with different permissions.

However, it is also good practice of course, to use placeholders to properly escape data to the database.

Re:ATTENTION WEB DEVELOPERS

[mortonda]

I'm curious, why is string escaping depreciated? The Wikipedia article doesn't make it clear.

My thought is that using string escaping makes it easy to forget to escape something. Using prepared statements is such a different method, it's easier to do it right.

After cutting my teeth on perl's DBI and prepared statements, it just kills me when I have to do a VBA app... no placeholders at all.

Re:ATTENTION WEB DEVELOPERS

[Shados]

The fact that "mysql_real_escape_string" or whatever exists is an example of that: String escaping relies on string manipulation tricks to make things "secure". On top of being potentially vulnerable to any problem in the server (which obviously cannot be gotten around of), it is also vulnerable to anything on the language side: for example, a string vulnerability would also make your queries vulnerable. Two attack vectors.

Its a workaround, a cheat, a hack. A prepared statement is handled by the driver and/or by the server itself, to compile your statement, and then pass the parameters (like you would a stored procedure or a function) at the binary level, on a RDBMS by RDBMS basis... That is, the vulnerabilities at the string level of MySQL are not the same as Postgres which are not the same as Oracle, DB2, or SQLServer, etc.

On top of that, prepared statements will (in most RBDMS) compile and cache the statement, and be able to reuse it whenever is needed (basically, whenever the query is the same except for the parameters), which enhance performance.

So there's simply no reason to use string escaping, and hasn't been ages.

Re:ATTENTION WEB DEVELOPERS

[Shados]

VBA can have paramterized query. The old ADO supports them just fine...

Re:ATTENTION WEB DEVELOPERS

cpanel provides for multiple users w/varying levels of permission.

Re:ATTENTION WEB DEVELOPERS

[Chyeld]

You do realize his nick is "apathy maybe". Doesn't seem exactly hard to infer the amount of effort he'd be willing to put into things...

Re:ATTENTION WEB DEVELOPERS

[burnin1965]

And in case you want to implement least privilege in your PHP application but still provide access to high level database users...

phpgirder

A shameless plug ;)

Re:ATTENTION WEB DEVELOPERS

[Ambiguous+Puzuma]

I agree, but just to nitpick:
Prepared statements are a subset of parameterized queries. A prepared statement is a parameterized query with a flag indicating that the query should be "prepared" for reuse (possibly with different values for the parameters), so that the cost of analyzing the query and developing an execution plan is limited to the first execution. There can be a bit of extra overhead, typically in the creation of a temporary stored procedure, so a query that is only to be executed once should not be prepared.

Using parameterized queries--prepared or not--protects you from SQL injection (unless the query is specifically designed to execute input, which there is rarely a reason to do). Of course if you want to maximize performance, in most cases you'll want to use stored procedures instead, which provide the same protection and shift query analysis costs to compile time instead of execution time.

Re:ATTENTION WEB DEVELOPERS

[Shados]

The last bit is incorrect. In most modern RDBMS, the query analysis is done at the same time for both stored procedure and parameterized queries, and then, in both cases, is cached, for whatever amount of time the RDBMS (or DBA configuration) tells it to, and reused for that period of time.

Compile time query analysis and query plan caching is actually an old way of handling it (some less powerful rdbms still do it that way, but the good ones don't): it has to be, as the query analysis will vary GREATLY depending on database statistics, thus it needs to be defered as far as possible, and redone every so often to re-analyse the statistics. Complex stored procedures would be incredibly slow if they were precompiled, or even if the query plan was cached for too long.

Parameterized queries work the same way (actually, in many cases, the parameterized queries and stored procedures go through the same pipeline), with the only performance difference being the amount of data sent (for a stored procedure, you only send the time...for parameterized sql, you send the entire query, which can be a hit if you have extremely huge queries. This is offset by how a parameterized query can be more flexible, and dynamically generated to request less data, while stored procedure reuse makes that harder, so often requests for useless fields will be made)

All in all, in most cases, the myth that stored procedures are precompiled is just that: a huge myth.

Re:ATTENTION WEB DEVELOPERS

ATTENTION:

TESTICLES!

That is all.

Peter Griffin.

Re:ATTENTION WEB DEVELOPERS

[petermgreen]

Using escaping to protect your queries is like doing strings by manually allocating blocks of memory and then storing a sequence of characters in them followed by a null terminator (either directly or through a series of helper functions).

Both can sometimes be forced on you by the environment you are working in. Both require an extreme level of attention to detail by both the initial programmer and later programmers who work on the code. Both can easilly lead to security holes if the programmer makes a simple mistake.

Re:ATTENTION WEB DEVELOPERS

[orkysoft]

Try a prepare statement sometime. How many escaping functions does PHP have these days?

Re:ATTENTION WEB DEVELOPERS

[mortonda]

I guess I did run into that recently, but didn't quite put it together... I was looking for "?" as a place holder.

Is it actually usefull for preventing sql injection by escaping the contents of the parameter?

Bobby Tables is at it again...

Bobby Tables is at it again...

haha

haha, now that site really does what it's supposed to

' UNION UPDATE `users` SET karma='godlike';--

[nathan.fulton]

TFA: "the code injected into BusinessWeek's website points to a Russian website that is currently down and not delivering further malicious code."

Seriously? Why is it that these people always point to their site? wouldn't you figure that, with a bit of injection, they could put the damn thing in the database? It's never made any sense to me. Anyone have any insights?

Also, they always waste these opportunities to give replace real headlines with those from the Onion... if they're going to do something malicious, they should at least do it with style...

Re:' UNION UPDATE `users` SET karma='godlike';--

[NoisySplatter]

If you're going to do something malicious for profit you should make it look like nothing ever happened. While swapping the headlines would be funny it would definitely lessen the amount of time the flaw went unnoticed.

Re:' UNION UPDATE `users` SET karma='godlike';--

[10101001+10101001]

Seriously? Why is it that these people always point to their site? wouldn't you figure that, with a bit of injection, they could put the damn thing in the database? It's never made any sense to me. Anyone have any insights?

1. Inject a database to gain access
2. Insert barebones code to bootstrap from an updateable external source
3. Patch the database so no one else can remotely take over your newly pwned database

In short, it's because the people who do this want to make money and insure that they can update the malicious code as needbe without worrying that someone else will come along and tie down the system with their own crap. Now, if said people knew when the site was going to be cleaned and had all the necessary code already created for that circumstance, I'm sure they'd do a one-time injection without any external references. But, if so few coders in the legit market can manage it and almost all need the ability to patch code months or years in the future, I'm pretty sure most black market scammers are going to be in the same boat.

And like the other poster pointed out, the point isn't to draw attention. That just increases the odds of decreasing the money making period. Not to mention that questionable headlines might make people shy away from the site under realization that it's hacked.

Re:' UNION UPDATE `users` SET karma='godlike';--

I was involved in repairing a site that had been hit by these SQL injection attacks recently. I did a bit of snooping and I eventually found my way to a script that runs a tracker for the bastages... Even the guys that run malware need to know their stats...

These attacks are hit and run - They either don't want to put thought into the hack or they just don't care... Their purpose is to "hit 'em big and hit 'em hard" to infect as many as possible at once.

Re:' UNION UPDATE `users` SET karma='godlike';--

Injecting a reference to the payload rather than the payload itself allows you to modify it at a later date. This could also allow you to sell 'control' of the payload.

Re:' UNION UPDATE `users` SET karma='godlike';--

[canajin56]

The reason they don't, is because they cannot. SQL injection lets you put stuff into database tables. It doesn't let you put stuff into their filesystem. You can add a javascript to their page, but I don't think there are any javascript viruses still running rampant. Barring that, you need a Flash file, or some other buggy and horrific file that you can embed. And that has to be hosted by you, since you can add a frame linking to it easily, but you cannot just upload it to their server. The only exception would be if images and flash are not stored in the file system, but stored as BLOBs in the database, but I think that is not very common. In either case, just adding an iframe with src='www.viruses.ru/myviruspage.html' is much more simple.

more economic woes

[prgrmr]

Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected

I suppose McDonald's is going to have to rely on employing just the liberal arts majors for now.

Re:more economic woes

Just so you know, computer science is considered a liberal art in a number of colleges as it's a branch of mathematics.

Asshat.

Re:more economic woes

[flyingfsck]

You made me snort my coffee... but it is so true. The other problem is that MBAs are very unlikely to know how to fix their machines once they are fscked up. In every place I worked, most viruses were spread by the top brass.

Re:Bobby Tables is at it again (obligatory link)

[CaraCalla]

http://xkcd.com/327/

Hackers stealing from the soon-to-be rich..

[Unexpof]

The original source of this story is security firm Sophos, who have posted a video about the BusinessWeek SQL injection attack. Their advisory makes the point that the victims of this particular attack would be MBA students, likely to earn a small fortune in their future careers. The video was made on an Apple Mac - kinda funny as chances are that the resulting malware wouldn't actually be targeting that platform.

Nit pick time.

[BitterOldGUy]

Many of them while good at what they do, wants to further their career so go for an MBA so they be considered qualified for promotion.

To nitpick:

That depends on your company and their policies. Therefore ask HR. I did once to see what they'd do for me. The answer was that I'd get a $3,000 raise for having a graduate degree. I asked for clarification regarding why she put that way; "You mean, I would get the raise regardless of what masters degree I received?"

"Yes. Of course your manager has to approve it."

Another thing to clarify, and I've found this out the hard expensive way: getting an MBA does NOT automatically give you a ticket into management. Here's what I was told by several folks: You need management experience for an MBA to mean something. Without the experience, the MBA is worthless. So now, I'm a coder with an MBA - it's not doing me any good. And like a stupid SOB, I paid for it with student loans. I did it when I was out of work thinking that it would get me a management job. Schools are so quick to tell you that their MBA will further your career. BS! Experience matters more than the degree - and networking (i.e. It's who you know.)

So here's what I would do differently, get into management, see if my company requires an MBA for my position, get them to pay for it, bust my ass in night school, some profit! But if they don't require it, I don't see the point in getting one.

And there's going to be a HUGE glut of MBAs. With this down economy, MBA enrollments have gone through the roof. Which means, in two years, the already huge glut of MBAs is going to get bigger.

Re:Nit pick time.

[nomadic]

So now, I'm a coder with an MBA - it's not doing me any good. And like a stupid SOB, I paid for it with student loans.

Look on the bright side; it was only 2 years of student loans, I had to do 3 years of law school to be in the same situation.

Re:Nit pick time.

[somersault]

I did 4 years of CS only to spend most of 4th year playing CS, mudding and having a long distance relationship with someone in a different timezone (meaning I only did about 25% of my project, which I could have swapped for a more interesting robotics/AI project, but I didn't think the one student who was assigned to the professor I wanted to study with would swap because the project was so awesome - then he swapped with someone else).

Re:Nit pick time.

[nomadic]

I did 4 years of CS only to spend most of 4th year playing CS, mudding and having a long distance relationship with someone in a different timezone

Wow, you were in CS but had a relationship? You're already beating the curve there.

Re:Nit pick time.

[somersault]

Yeah, she eventually moved over here for a few months but then it all ended pretty badly. I'll probably end up repeating the cycle of computer games, online forums, meeting a random person who somehow convinces herself she loves me while apparently the whole time just deluding herself that she's not in fact an asexual freak who wants to spend the rest of her life living alone writing books that she doesn't care if anyone else reason, in a mountain cabin. Resulting in me getting horribly burned. Yes, that would be a fun cycle to repeat.

Thankfully though, there aren't many women on slashdot, and the few that are are so hardcore geeky that they won't want someone who didn't complete his honours year :)

Sigh...

[Angvaw]

Sigh...And all the developers had to do was use binds, which actually make programming easier, too. I wonder if they wrote code to handle the dreaded apostrophe.

AND I don't mean ...

[BitterOldGUy]

to disparage education. It's just that the days of getting more education to advance in your career, at least in corporate America, are gone. All you need are the basics; which usually is a BS in your field. It's who you know. And even then, if thy're snobs who don't associate with "your kind of people" it doesn't matter either. We're rapidly becoming a downwardly mobile society.

I'm just ... look at my user name...

Re:AND I don't mean ...

[jellomizer]

You can get by with the basics. You always could. However having a piece of paper to show that you have the possibly to do it, hedges your bets. Getting an MBA doesn't automatically put you into the C Table. But what it does is show ambition and most companies will see that and put you on that track.

Re:AND I don't mean ...

[StellarFury]

Unless of course you're going into academia or industry in a science field, where having an M.S. or Ph.D. is basically an entry requirement if you don't want to be a lab monkey for 8 years.

Commie plot perpetrated by the chinese

Fact!

Tag - LittleBobbyTables

[lazy-ninja]

http://xkcd.com/327/

Anecdote:

[Jaysyn]

I don't think any of the managers where I work, up to & including the Owner / President, have an MBA. We are an engineering firm that has been around for 25+ years.

Links Please!

Why is it that the article submitters never provide enough links. Maybe we'd like to look at the affected site.?!

oh well

oh well, only the Asgard can save us now.

One of the owned sites.

[kefkahax]

One of the pages that reads from the owned DB: hxxp://bwnt.businessweek.com/recruiting/index.asp?f=M

RBN > BusinessWeek?

Also, did anyone notice how close the subdomain is to 'pwnt'?

SQL Injection? At this hour?

[brian.aspx]

I can't believe in this day and age something as lame as sql injection is still happening, especially to large company websites. Anyone using inline SQL should be taken out back and ridiculed until they cry. If your developers are mindless enough not to validiate user input then at least use stored procedures.

Re:SQL Injection? At this hour?

I can. It takes too much extra money and effort to code up a SQL prepared statement. Better to hire a cheap, inexpensive, inexperienced person and say "Git-R-Dun! ASAP!".

And no, I'm not being sarcastic. The extra 5 minutes it would take WILL be held against you.

Re:Bobby Tables is at it again (obligatory link)

[rickb928]

Much as I love Mom, I hope she never ever finds my websites. I don't need the education.

Re:SQL Injection? At this hour?

[Shados]

Don't even need stored procedures... prepared statements are more than enough... But seems like even this is asking too much. I'll never understand... having to think about all the concatenating and quote escaping and conversion of datatypes to string and all that garbage is so confusing... Even if it wasn't for security, prepared statements are so much better (when not using an ORM anyway)

Re:SQL Injection? At this hour?

[leonbloy]

If your developers are mindless enough not to validiate user input then at least use stored procedures.

... and, don't forget the most important: forbid the end users to employ dangerous words in their "security question" answers. Hey, how cool is that?

(You can find this and other amusing samples of anti sql-injection techniques by dumb developers at WTF)

Re:SQL Injection? At this hour?

[CorporateSuit]

But what if my mother's maiden name is BENCHMARK(1000000000,MD5(CHAR(116)))? We're Irish, after all!

and yes, my childhood pet WAS called "'; xp_cmdshell 'format c: /q /yes '--" and I loved him.

anyone buy something from this store?

[rmst2000]

http://www.mount4less.com/ their lcd computer mount looks great. i just want to know any one buy from them or not?

Mods on crack

[Free+the+Cowards]

Hint to moderators: "Troll" is not a code word for "I don't like what he says". Even if you could somehow twist things around to justify marking the first post as "Troll", how do you figure that correcting my own mistaken acronym is a Troll?

Go on, mark this one as a Troll too. I dare you!

Re:Mods on crack

[eat+here_get+gas]

lol, they did!!!

do they ever share that crack they smoke?

Re:Mods on crack

[Free+the+Cowards]

Somebody is striking back with "Underrated", too. This is so funny.

Hey mods, try to get this one +1 Funny and -1 Overrated!

Voodoo economics / creative accounting

[SgtChaireBourne]

Just a quick question: why, exactly, do MBAs need to know calculus?

Please, I'm not following.

"In the fall of 1972 President Nixon announced that the rate of increase of inflation was decreasing. This was the first time a sitting president used the third derivative to advance his case for reelection." http://www.daviddarling.info/encyclopedia/D/derivative.html

fai7zOrs!

And the striking ~280MB MPEG ovvf of on baby...don't would you like to