MySql.com Hacked With Sql Injection

iceco2 writes "MySql.com and associated sites were hacked today. Among other items some simple passwords were recovered and private emails were revealed. Ironically the attack was performed using a blind sql injection attack."

Another report

[symbolset]

Some evidence of server issues here already. Another report: A proper link?

Re:Another report

No offense. Bad code can be written in any language.

Re:Another report

[guybrush3pwood]

Bill, is that you?

Re:Another report

[AsmCoder8088]

Okayyyyyyyy... MS astroturfing, anyone?

Re:Another report

[WrongSizeGlass]

This article is a tad harsh on MySQL.com - and rightfully so:
* The domain's SSL expired a month ago
* Some of the passwords for the account 'sysadm' was “qa”
* Their website was obviously not properly secured

Re:Another report

[halestock]

laying it on a bit thick, aren't you?

Re:Another report

[WrongSizeGlass]

This article is a tad harsh on MySQL.com - and rightfully so:

That should have been This article . D'oh!

Re:Another report

[Cidolfas]

Or better idea: just use PHP's PDO module for your SQL interactions, regardless of backend database. It makes bad code just as hard to write in PHP as it is in C# (which means, still easy but most use-cases are at least sanitized).

Re:Another report

[symbolset]

180 words, under 1 minute by the timestamp. It was actually under 30 seconds. Bot. A prepared response to any article containing "hacked" and "mysql"

Re:Another report

[bondsbw]

I have been a C# developer since .NET 1.0, and worked with MS SQL Server just as long. I love them, and recommend them wholeheartedly to everyone I know. But if you think C# + MSSQL = Safe, you've probably already been hacked.

Sure, C# via ADO.NET has parameterized queries to help prevent SQL injection, and we have the Entity Framework and such goodies, but all I need to do is "SELECT * FROM MyDB WHERE ID = " + queryStringID + ";". String concatenation... it's a feature of C#, and because of it you suddenly get to do with my database as you please. You're welcome.

And it happens all the time, since it's the most straightforward way to access a SQL database.

Besides, I doubt MySQL is that less secure than MSSQL. PHP is the traditional culprit... on that point, we agree.

Re:Another report

[marcello_dl]

>As a hobbiest web based game developer it's performance I wouldn't have money to get elsewhere.

sooo... you really haven't been far as decided to use even go want to do look more like, I guess.

Re:Another report

[igreaterthanu]

Or whoever posted it has a subscription on another account perhaps?

Re:Another report

[Dunbal]

Not trusting the user input is rule #1 of programming - from way before the internet era. I'm only a programmer by hobby and even I know that. What do they teach these kids at school?

Re:Another report

Perhaps he hacked /.'s mysql server to alter the timestamp? I bet he created a GUI in Visual Basic to hack the IP address.

Re:Another report

[Max+Littlemore]

Well, I think it's one of the major problems with C# and MS SQL Server. By default the combination allows extremely unsafe code. or I should even say encourages. I'm all for allowing for the coder to take those routes if he wants to, but for the love of god, teach the noobs to program safely. While you can use safe methods with C# and MS SQL Server, other languages encourage it. For example befunge98 combined with Paradox makes sure the programmer is coding safe code. On top of that Paradox is speedy, stable product that is used by millions individuals and enterprises. For me that sure does tell about quality, and by looking at the companies using the PDP-11 I'm even happier to pick it as my platform. btw, I personally found their Paradox Baby Shit Orange cloud-based databases services absolutely stunning. They are highly scalable, ultra fast and automatically taken care of for you. As a hobbies useless pre loaded crapware developer it's performance I wouldn't have money to get elsewhere. And the sheer quality of the service is absolutely great.

or to put it another way, shit programmers write shit code, regardless of the tools they use. Begone to the special Hell they keep for corporate schills you obvious schill.
oh and by the way, more people and companies using a product is more likely to mean there is a reality distortion field or illegal anti-competitive behaviour surrounding a product if the past 30 years is anything to go by. Shit for brains.

Re:Another report

[Goaway]

Of course. That is hardly relevant. The question is, how hard is it to write bad code?

Re:Another report

[petteyg359]

That's like an SQL injection attack for the brain. Just trying to figure out what you said is causing corruption.

Re:Another report

[uberjack]

As AC below pointed out, bad code can be written in any language. I worked for a University of California campus, when UCLA got hacked a couple of years ago, due to a SQL injection attack. Their choice of platform? C#/MSSQL. Programmers on our own team (C#, MSSQL) wrote SQL injection-friendly code - I can't remember how many times I've caught unsanitized input being put into a SQL query without proper sanitization or "SqlParameter-ization" - people who wrote enterprise-level apps for years prior, and who should know better. PHP has mysql_real_escape_string, which sanitizes input. I've written my own Ruby-on-Rails-ish helper functions to sanitize input in a less hackish fashion in PHP. There's always a way. This type of shit will continue to happen until people realize that security in today's web development is as important (if not more so) than programming skill, and stop hiring dipshits without proper screening.

Re:Another report

[igreaterthanu]

You don't think I could have typed that one sentence by hand within 6 minutes? I admit that my last few comments I've made have been about Microsoft but I have made many comments on other topics too.

Why couldn't he have composed it in advance? The story was posted in advance and anyone with a slashdot subscription could have read it, composed a reply, created a disposable account and then pasted the response into the story. Is it really so hard to copy and paste within 30 seconds if you are given plenty of warning of which 30 seconds it will be?

Re:Another report

[MarkRose]

Using PDO isn't sufficient. You also have to bind all your values/parameters. Just sticking variables into the SQL statement wont' save you.

Then there's the extra round trip performance overhead of using a prepared statement if created in PHP and not saved in MySQL.

Re:Another report

A 30s reply to symbolset could not have been composed in advance. Only a shill would compose a story response, then post it as a reply to someone. As usual, he did it to get the most views (since responses to symbolset would push his post down the page otherwise).

Re:Another report

[PopeRatzo]

Note the parent's comment.

Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety? I'm betting the MS is using in-house talent for this purpose, but it's quite possible that they are using New Media Strategies or another such company to keep the activity at arm's length to provide deniability. I wouldn't be surprised if 100,000 or more of the accounts with UIDs over 1500000 belong to employees of these companies or departments. Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds". A Slashdot story with an energetic discussion which is negative on say, AT&T can have an out-sized influence on opinion regarding that company, due to both word of mouth and search engine results.

One only has to watch any story that is critical of a major US company to see this behavior, which usually shows up as ignorant "frosty piss" trolling followed by >2000000 UID comments (often densely written) followed by a string of sockpuppet "bumping". The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.

Re:Another report

The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.

It shows how broken the Slashdot discussion system is. Comments on the first 2 pages are read the most -- many more people stop reading halfway down. The majority of moderation points are spent on the top threads. Thus, by trolling at the top of the story, one can completely derail the following discussion.

In my opinion /. admins need to

• make it impossible for 6mo old accounts to get first, second, or third post -- not even as a reply to the topmost posts
• make it impossible for 6mo old accounts to receive moderation points
• controversial: display the usernames who have moderated a post

Re:Another report

Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety?

I agree with you, but sometimes a nigger joke is just a nigger joke. I wrote a nigger joke in one story and it made first post. Then you went all ape-shit (pun intended) about how it's THEM!!!! conspiring to take over teh solar system or something ... that made my day dude. I think the neighbors could hear me laughing.

But yeah this troll can obvious tell that guy was a shill. A real obvious one. Anybody who isn't sure about that may be interested in buying some nice swampland in Florida. Maybe they'd like to also help a Nigerian prince move money out of his country.

Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds".

Most Slashdotters are familiar with the long history of Microsoft and its business practices. Some moron singing the praises of MSSQL isn't gonna erase that history. Even if MS made the undisputably best database in the entire world, and they don't, but even if they did I wouldn't use it. I would rather use the second-best and not have to deal with the devil. But then I have standards. A lot of you are mercenary types who don't give a damn and that's cool, just don't complain about how corrupt and fucked up most of the world is because you're the reason for it, the steady source of support for it.

Anyway Slashdot's gotta be one of the very worst places to try to make MS look good. The people who don't like MS got a long LONG list of damned good reasons for that. It is not something they flipped a coin to decide. It is the product of repeated examples of abuses and asshattery by this company over the last 10-15 years. Not something you can smarm your way out of. The PHBs who might be dumb enough to buy this shill's marketing don't usually read Slashdot.

The professional liars known as PR firms are only making sure that a foolish company with no scruples and its money are soon parted. Anybody who works for a PR company, really what the fuck is wrong with you? How does it feel knowing that you get your living by dishonesty and trickery?

Re:Another report

[Cidolfas]

True, I was just saying it brings PHP into parity with .net

Re:Another report

[PopeRatzo]

It shows how broken the Slashdot discussion system is.

To be fair, I think we're seeing an attack of mil-spec astroturfers and their sockpuppets. I don't expect Slashdot to have been able to have been omniscient enough to have anticipated this.

But now that it's here, I think it's an issue that anyone who uses the Internet to get information or opinion has to be aware of and address.

Re:Another report

[Tablizer]

I'll buy it all from you if you meet me behind the pork warehouse on 2nd street & Lumbar at 1am on the South Side. Deal?

Re:Another report

[Tablizer]

MS is as bad at astroturfing as they are at advertising.

Re:Another report

[hairyfeet]

Which is why I have a question: WTF is up with the MS Shill brigade on /. lately? I've only noticed it for about the past three weeks or so, but damned the shit is getting thick. Look at the one that posted on the Nook hack, the very first post is "I Wish Microsoft would have released the Courier" complete with link for those that don't know what that bullshit vaporware was in the first place. I mean did they get a deal on that HB Gary software or what? And why are they so insecure? I mean sure WinPhone is dead last but Windows 7 is nice, and the X360 is doing well. So what is up with the rampant MSFT shilling? Do they fire your ass if you don't post X number of shill posts or something?

As for TFA, garbage in, garbage out. I don't care if you code in VB 6 or Brainfuck if you write sloppy code it WILL come back to bite you in the ass. But trying to blame this on the language, to use a /. car analogy, would be like trying to blame Ford because someone got drunk and hit a kid with their Mustang. A tool is only as good as the person using it, full stop. I've seen clean code and lousy shit in just about every language. It ain't the tool that's the problem it is PEBKAC. But they should get extra points for the sheer irony factor. I mean a site promoting SQL falling for the oldest trick in the book? Bobby Drop Tables anyone?

Re:Another report

[c0lo]

Of course. That is hardly relevant. The question is, how hard is it to write bad code?

Far easier than to write a good code, no matter the language (on some languages, it's even impossible to write good code)

Re:Another report

[bcmm]

The only other comments made by that account are on the front-page story before this one. However, they're timestamped quite a bit before this story went up. How long does a subscription let you "beat the rush" for?

Re:Another report

[smellotron]

I'd say it's more like a DoS attack. Force your brain to spend excessive cycles on parsing the sentence, and hopefully get you trapped into an infinite loop!

Re:Another report

[gfody]

it's called social media monitoring and engagement and get used to it because it's the future of marketing. more

Re:Another report

[PopeRatzo]

No, no. It's not astroturfing to make AT&T look bad, it's astroturfing to disrupt any discussion of a story which makes AT&T look bad. I must not have been clear.

Re:Another report

[DMiax]

It can work because many don't have java-script enabled so you can't even collapse the offending thread.

Now I understand! You are a Javascript astroturfer, right?

Re:Another report

[shutdown+-p+now]

You do understand that every time you post such crap in a Slashdot story (and it seems to be in Every. Single. Fucking. One.), you do nothing but drive more bad feeling towards Microsoft? If you want to do advocacy, fine - but then study what you're promoting enough to be able to meaningfully argue in favor of it, rather than spewing pure concentrated marketing drivel ("makes sure the programmer is coding safe code" - WTF?).

This isn't a room full of clueless PHBs where the higher your concentration of buzzwords, the better. This is Slashdot, where audience is highly technical, mostly inclined towards FOSS already, and has very little patience for bullshit.

Re:Another report

[symbolset]

Dressing it up with fancy words doesn't change its essence. It's astroturfing. It won't succeed because its general assumption is that people are stupid. They're not, or at least enough of us are not to protect us from this. It's got fail written all over it.

And perhaps that's the point. Microsoft may now want to fail in the most conspicuous way, so as to diminish their brand and control. If that's the case, I'm for it.

Re:Another report

[symbolset]

It's easy to write bad code. It's just really hard to maintain it.

Re:Another report

[symbolset]

Congratulations. You're tagged too. Collect your stuff.

Re:Another report

[symbolset]

Thanks for giving up another shill account.

Re:Another report

[DrXym]

Of course. That is hardly relevant. The question is, how hard is it to write bad code?

I think SQL databases / drivers could do a lot more to protect themselves from bad programmers. For example we all know that a prepared statement is safer from SQL injection than an ad hoc one because params are properly escaped. So why allow ad hoc statements at all by default? Seems to me that drivers should require the app to explicitly override safeguards if they want to dangerous things. Likewise SQL comments are often used to disable the rest of an injection attack but why are they needed in client side sql? So disable them. If the bad programmer absolutely wants to they can throw the switches but perhaps in reading how to do it, he / she might learn to program better and would of course be safe by default rather than insecure by default.

Re:Another report

[turbidostato]

"Bill, is that you?"

No need to. Just Larry on his presumed roadmap.

Re:Another report

[GameboyRMH]

Yeah it's the hot new thing on Slashdot. This one is especially hilarious because MSSQL is actually *more* vulnerable to SQL injection, and any web developer knows to avoid MSSQL like the plague covered in herpes sprinkles with a giant spider on top.

Re:Another report

[GameboyRMH]

Astroturfing is illegal in the UK, and if I understand correctly, in the US as well (can a lawyer confirm?).

Re:Another report

[GameboyRMH]

Yeah it's like sunglasses. The fashion changes a little but never goes out of style completely :P

Re:Another report

[GooberToo]

The problem isn't really PHP. The problem is, PHP has become the VB of the web which has significant allure to a very specific user profile. Sure, some can truly explore its power but most have no idea what they are doing. Sadly, a lot of these same people who are wondering about in the dark are contributing to many popular PHP projects and frameworks. This is why PHP is synonymous with poor security and easy exploits.

Add to the fact many developers later jump ship to other languages and other frameworks and discover better performance with more powerful frameworks, typically with far, far fewer security issues, it raises the question of why anyone is bothering with PHP and their frameworks.

Re:Another report

[hairyfeet]

Ya know, up until Windows 7 I agreed 110% with old Steve, but not now. Maybe it was an accident, maybe it was the whole 1000 monkeys thing, but Windows 7 somehow has just the right mix of being friendly and intuitive for the noobs like my dad while still letting old hands like me work faster.

Damned if I can figure out how they did it, but while I hated the WinXP fisher price crap, and Vista just looked like a bad DeviantArt skin and behaved worse, Win 7 has my dad using more features in less than a month than he EVER did from XP, while making my work and play faster. Frankly I just love the breadcrumbs, the WMC, and WMP 12, and finally they got memory management right after all these damned years with Superfetch. It is just so damned nice to have 8Gb of RAM and actually be able to feel it in action because Win 7 preloads all my apps at the times I always use them so it is just click and go. Man that's nice. Frankly playing with a friends Macbook I don't think OSX SL is nearly as nice, and that's the first time I've ever thought that, so maybe old Steve just ain't got it anymore? hell it wouldn't surprise me if they completely bone Windows 8, heaven forbid they get two right in a row.

Which is why I just don't get the shilling. Shilling has always been an act of desperation in my book, a company on the ropes trying to drum up buzz, which just don't make any sense in this case. Sure WinPhone is DOA, but Win 7 is damned nice and doing great and the X360 pretty much owns this generation, so I just don't get it. I mean they have VS which has tons of developers locked up, a great OS for once, the 360 has finally got them in the living room, so NOW you shill? Where were they when Vista was stinkin up the joint?

Maybe you're right and it is some sort of bot software from MSFT R&D, because frankly it makes no damned sense, not only from the timing but from the posts themselves. They are ALL over the place, not really pushing any brand or trying to generate any buzz for a particular product. I mean usually even the lamest corporate shilling stays on message, like the Galaxy Tab crap, or the fake reviewer for bad movies, or the ultra lame-o PSP rap crap. But to me this is just head scratching weird and not the usual corporate shill. Maybe it is a bot hell I don't know.

It reminds me of those weird spams I would get a couple of years back where it was just some stream of consciousness haiku with no actual links in it so it was COMPLETELY pointless. Hell I even looked up the unadulterated spams on a couple of servers I was managing at the time to see if there were links being stripped but nope, just weird word salad, like poetry written by someone really stoned. Hell maybe that is what this is, someone at MSFT has gotten some really good shit and is just giggling at all the "WTF?" posts he is generating.

Re:Another report

[doom]

So why allow ad hoc statements at all by default?

There are many useful queries that have no params, e.g. "show tables". Forcing the user to prepare a query that has no params will not improve security.

SQL comments are sometimes useful with MySQL because (if I remember right) they appear in the query log.

Re:Another report

[doom]

Astroturfing is illegal in the UK, and if I understand correctly, in the US as well (can a lawyer confirm?).

In a sane world astroturfing (and half of the things people call "marketing") would simply be regarded as fraud.

Re:Another report

[GameboyRMH]

Yeah, too bad the world isn't sane :-(

Re:Another report

[Zancarius]

It can work because many don't have java-script enabled so you can't even collapse the offending thread.

That's a good point, although I wonder how many people don't particularly like Slashdot 2.1's (3.0?) UI. I'm still running with the classic comment mode enabled--or as close to it as I can get. Filtering by my friends list and a reasonable threshold seems to catch most of the junk.

However, even I will admit that sometimes the junk is so astoundingly stupid, it's vaguely humorous.

Incoming botswarm

[symbolset]

Microsoft web serving products? How dumb can can a bot get? Turing fail.

Re:Incoming botswarm

[mace9984]

+1 funny

Bad link in summary

[innocent_white_lamb]

Should be: http://techie-buzz.com/tech-news/mysql-com-database-compromised-sql-injection.html

(There is an extra l in the summary's link.)

why is it ironic?

[larry+bagina]

I would expect MySQL.com to be hacked with an SQL injection bug. They didn't support parameterized queries until version 5 or so and most mysql examples floating around on the 'net involve building your own query string from unchecked user parameters.

Re:why is it ironic?

Perhaps you need a little refresher on irony.

Few but the most naive would expect the MySQL.com site to be written by nubies and rubes so unsophisticated as to depend on remedial examples of anything found "floating around the 'net". To the contrary, most people would expect MySQL.com to be maintained to somewhat high levels of security in particular at the level of the database. This is the construction of the irony in this case.

"How ironic, now he's blind after a life of enjoying being able to see." -- Homer Simpson.

Re:why is it ironic?

Sanitising inputs is not at all on the same level as parameterised queries.

Not only can it be tricky to do without mangling if done zealously, but due to unicode support in SQL and escaping syntax, you can get around even a proper sanitisation.

Parameterised is really the only way to go.

Re:why is it ironic?

I am finding these codes on the internet, but they are not working. Please can anyone help in making these codes work, I am not knowing what is wrong, and I must complete my assignment to receive my masters degree in computers science so that I can have long career as manager providing highly skill service.

Re:why is it ironic?

[LizardKing]

I think you'll find you are the naive one. Those are the same MySQL "experts" that claimed referential integrity was a waste of time, and should be implemented in application layer code. That is, until they had some semblance of support for it, although you were still screwed if you needed full text indexing on one of your tables.

Re:why is it ironic?

[marcosdumay]

"...most people would expect MySQL.com to be maintained to somewhat high levels of security in particular at the level of the database."

Specialy so after they got bought by Oracle. But, ironicaly, I don't remember any such news from before that.

USE BIND VARIABLES

[MoNsTeR]

Jesus fuck, people. It's not rocket surgery.

If you use bind variables, you CANNOT be SQL-injected.

If you don't, you can be.

It's that fucking simple. Do The Right Thing.

Re:USE BIND VARIABLES

[SanityInAnarchy]

Note that this doesn't mean you should assume you're safe just because you're using bind variables -- be aware of stuff like LIKE, for instance.

But yes, that is exactly the frustration I have when I hear about things like this. There's pretty much never a reason to build your own SQL string outside of a library.

Re:USE BIND VARIABLES

I just use something : addslashes(addslashes(addslashes(addslashes($str)))) ;
I like slashes ;-) ;

Re:USE BIND VARIABLES

[vlm]

Note that this doesn't mean you should assume you're safe just because you're using bind variables

For example, bind variables are a great way to store the wrong value in the wrong column. Admittedly I'd rather discover that bug in the unit tests on the dev server, than discover the injection on the production server, but I can none the less hear the siren call of doing it the wrong way...

Now what would be nice would be libraries for ALL languages that look like convenient, yet vulnerable, inline SQL but translate behind the scenes into bind variables.

Also fun, if the (numerous) lint-y / perltidy-y whatever apps would highlight or comment upon security problems like this in an automated manner.

Re:USE BIND VARIABLES

[Dunbal]

Jesus fuck, people. It's not rocket surgery.

Apparently it's brain science.

Re:USE BIND VARIABLES

[smellotron]

There's pretty much never a reason to build your own SQL string outside of a library.

Not to negate your argument (with which I agree), I want to demonstrate a case where building your own SQL string makes sense. Suppose you want to perform a SELECT that matches a set rather than a given value:

SELECT make, model
FROM vehicle
WHERE vin IN ('1M8GDM9A_KP042788', '1M8GDM9A_KP042789');

The prepared statement is a function of the number of VINs in the set. Something like this python code:

VINs = ("1M8GDM9A_KP042788", "1M8GDM9A_KP042789")

SQL = """
SELECT make, model
FROM vehicle
WHERE vin IN (%s)
""" % ', '.join(["%s"] * len(VINs))

dbconn.execute(SQL, VINs)

The risk to manage here is the possibility of an overflow in the number of parameters. You might need to restrict the size of VINs before attempting to prepare the statement.

Re:USE BIND VARIABLES

[Cylix]

I'm of the new school and prefer rocket brain....

Re:USE BIND VARIABLES

[madprof]

Are you saying MySQL does not escape the delimiter characters within values passed to the LIKE operator?

Re:USE BIND VARIABLES

addslashes() is unsafe. In PHP you want to be using the standard function "mysqlreallyescapethingsanddoitproperlythistime()". Don't go using "mysqlescapethingscorrectly()" by mistake, that one is completely insecure.

(Seriously, why do people use PHP?)

Re:USE BIND VARIABLES

[Just+Some+Guy]

SQL = """
SELECT make, model
FROM vehicle
WHERE vin IN (%s)
""" % ', '.join(["%s"] * len(VINs))

My eyes, they bleed! Write that like:

VINs = ("1M8GDM9A_KP042788", "1M8GDM9A_KP042789")
SQL = """
SELECT make, model
FROM vehicle
WHERE vin = ANY(%(vin)s)"""
dbconn.execute(SQL, {'vin': VINs})

Or even better:

vehicles = session.query(Vehicle).filter(Vehicle.vin.in_(VINs))

Voila. Those work, they're not hideous, and they prevent injection. To repeat the earlier idea: there's no need to write unsafe code. If you are, you're in the wrong line of work.

Re:USE BIND VARIABLES

[camperdave]

Addslashes...Ah the mascara function.

Re:USE BIND VARIABLES

[thebra]

And then while (strpos($string, "'") !== false) { $string = stripslashes($string); }

Re:USE BIND VARIABLES

[cheater512]

I prefer:

$db->select('make, model');
$db->where_in('vin', $vins);
$db->get('vehicle');

Ahh CodeIgniter. I dont write SQL anymore.

Re:USE BIND VARIABLES

[smellotron]

Python DBAPI supports sets natively? You just made my day!

I've been doing the same in C using libPQ, except that it uses $1, $2, ..., $N for placeholders. I wonder if there's another way in that language...

Re:USE BIND VARIABLES

[Just+Some+Guy]

I don't know whether that's a DBAPI feature or a psycopg2 extension, but I tested that code (adapted for my own PostgreSQL table) and verified that it works exactly like you'd expect it to.

The second example was SQLAlchemy, my preferred way of never having to write another line of SQL. I know I can write complex, efficient queries if I want to. I also know that I'd rather let the computer figure it out for me. :-)

Re:USE BIND VARIABLES

[Third+Normal+Form]

Tom Kyte of Oracle/"Ask Tom" fame blogged about this recently:

[speaking about HBGary] And all because of - SQL Injection... If you don't use bind variables - you are susceptible to it. If you accept input from an end user and concatenate it into your SQL, you are subject to SQL Injection. If you use bind variables - if you do not dynamically construct your SQL at runtime - you are not subject to it. It is that simple.,

http://tkyte.blogspot.com/2011/02/interesting-read.html

He continues, "it is much harder to write code that doesn't use binds than it is to write code that uses binds". I agree- I feel... dirty... not taking the minute or two to add a parameter. Looking at our error logs, I see bots searching for parameters in web forms and testing vulnerabilities.

Re:USE BIND VARIABLES

> WHERE vin = ANY(%(vin)s)"""

The only reason that works at all is because the MySqlDB dbapi driver uses string substitution instead of real parameter binding. It's really a piece of garbage, especially as compared to the much more modern oursql driver. SQLAlchemy under the covers has to do the same thing (no db I know of can bind non-scalar parameters) but at least it's marginally a little safer, and it's actually portable across databases.

   

Re:USE BIND VARIABLES

[JustinRLynn]

Yeah, you pretty much do, you just don't write it in SQL any more, you write it using codeigniter's API. I'd much rather see:

$matching_vehicles = $vehicles->findBy(array('vin' => $vins));

There's nothing quite like a proper abstraction. You might want to take a look at the Doctrine ORM.. it implements something like that.

Re:USE BIND VARIABLES

[JustinRLynn]

You know, I could be a smart arse and say this rules out most people that choose to use PHP, but I think my karma would burn. Oh wait....

Re:USE BIND VARIABLES

[lightknight]

Nonsense. I like to rock the DB by building strings manually all the time. Makes refactoring / debugging them easier.

How do I avoid the stupidity of input sanitization these days? Through the magic of Base64 encoding any input I receive from a user. It sounds crazy, but it works (for now).

Re:USE BIND VARIABLES

[bytesex]

You must *love* using a database client to peer directly into your tables. Nothing but base64 gibberish in there. Do you actually store numbers, calculate with them, compare them ?

Re:USE BIND VARIABLES

[Xenna]

Hah, I had that great idea sometime when I first started using mysql.
It's secure allright, but a giant pain in the butt to work with.

Re:USE BIND VARIABLES

[Lorien_the_first_one]

So the hack isn't a question of the design of MySQL, it's due to poor configuration of the database itself? I agree with you that there is no assumption of safety as all we can really do is make the wall higher to keep the buggers out. The reason I raise the question is that some in the press will make this out to be a design flaw in MySQL itself rather than talk about the real cause being a configuration that wasn't safe.

Re:USE BIND VARIABLES

[Lorien_the_first_one]

What a trip. I'm not an SQL guy, but I'm fascinated by the discussion. So you can look at logs to see that bots are trying to hack your db? Does it look like the bots have any kind of intelligence? Do they seem to learn as they go? Can you tell if there is any human intervention?

Re:USE BIND VARIABLES

[yahwotqa]

More importantly, do the logs mention any dreams, or sheep, or even dreams about sheep?

Re:USE BIND VARIABLES

[Third+Normal+Form]

This is more from an application error log- it has a good bit of javascript on the web front end that make it very hard for humans to generate exceptions, it's usually only when somebody is trying something (e.g. manually changing the querystring passed) or a bot that exceptions are generated.

The case that comes to mind is "cz32ts" (or that's at least how it identified itself in its user-agent header). It sends requests like this, looking for raw exceptions back:

person=xxxx%2cyyyy%2czzzz%2c%20And%20char(124)%2b(Select%20Cast(Count(1)%20as%20varchar(8000))%2Bchar(124)%20From%20[sysobjects]%20Where%201=1)>0

Re:USE BIND VARIABLES

[kat_skan]

I'll give you guys the benefit of the doubt and accept at face value the claim that you always use Replace and never forget even for numbers and values you're totally sure you didn't get from the client. You are still vulnerable.

Even if you fixed that, or tested for it and found that the way your database and web servers are configured that you aren't vulnerable, why in God's name would you just assume that there's not still some other attack vector you don't know about? On behalf of everyone whose credit card information you may be storing, please use bind variables!

Re:USE BIND VARIABLES

[xtracto]

Yeah, that and remember to use the correct function:

mysql_real_for_real_we_swear_this_is_the_shit_escape_string()

Re:USE BIND VARIABLES

[xtracto]

by Third Normal Form (211331) Alter Relationship

Man.... this guy really knows about SQL uh?

Re:USE BIND VARIABLES

[lightknight]

Note that I said any input from the user gets stored with Base64.

Any input I create can be stored normally, though I do tend to store strings as Base64 anyway.

Numbers usually aren't a problem, but I grant you that looking at tables with Base64 encodings does take some time getting used to it.

Re:USE BIND VARIABLES

[lightknight]

Agreed. But it permanently solves the input sanitization problem.

Sometimes the medicine feels worse than the disease (especially when you first start doing it), but the part where some wanna-be hackers are pounding that textbox on one of your pages, looking for a way into your db, and your server doesn't croak is a truly wonderful feeling.

The response from your fellow team members usually starts with "damn it, it won't break. what did you do that it's not breaking anymore?" followed by you showing them the code + db tables, and their response of "what in the sam hell...WTF...OMG...yes, yes!".

Re:USE BIND VARIABLES

[Xenna]

That's about the same thing my colleagues said when they first looked at the code and the database. ;)

Re:USE BIND VARIABLES

[wsapplegate]

Not to be a dick, but mysql.com is written in php and you cannot bind variables in php (based on a simple google search).

Are you sure you actually fired up a Google search? The second result of a search for "php mysql bind variables" leads you directly to this function. Not to mention ADOdb can fake it even if you don't use the mysqli driver, and I'd bet PDO and the other libraries can do the same. Seriously, even if you're a PHP developer (I'm one), you have NO EXCUSES for not using bind variables. The hassle is quite low, and the peace of mind is priceless...

Re:USE BIND VARIABLES

[marcosdumay]

You'd want to not use PHP if you really want to realiably put and retrieve any string from a database.

Or you can use the base64 encoding somebody posted above. Most of the times you don't need to reliably store and retrieve ANY string from a database, and then, PHP may be ok, or it may fail exactly at the strings you want...

Re:USE BIND VARIABLES

[Saint+Stephen]

They used a code generator for all the SQL. Only EXEC calls to auto-gen'd SPs, just did a religious doubling of single quote, and I'll be gobsmacked if I could find a way to inject squat.

I tried all that shit with unicode variations - nothing broke it.

Face it, it worked.

Re:USE BIND VARIABLES

[SanityInAnarchy]

I have to agree with the AC here. And bind variables don't have to be inconvenient, either -- check out Rails (or, really, any Ruby ORM), and I think .NET has something similar, where an internal DSL is used to define the query you're going to execute.

Really, is this contrived example of checking whether a user is an admin:

SELECT admin FROM users WHERE name = $somevar;

so much more "convenient" than this:

User.first(:name => somevar).admin?

Re:USE BIND VARIABLES

[SanityInAnarchy]

I don't think this negates my argument at all, particularly because this is exactly the sort of thing I would put in a library and never look at again. The other responses suggest that this has been done, which doesn't really surprise me.

Re:USE BIND VARIABLES

[SanityInAnarchy]

I don't know about MySQL specifically, but a minute or so of Googling confirms my suspicion: LIKE is vulnerable to DOS attacks.

It's not strictly a SQL injection attack. Rather, the point is that you shouldn't assume that bind variables automatically make all user input safe, unless you also understand how that user input can be used in the query in question.

Most things are still perfectly safe. If all you're doing is select/insert/update with equality, you're probably fine.

The point here is that bind variables don't make you invincible, but they do make a certain class of vulnerabilities harder to create than to avoid, and they even make your code run faster.

Re:USE BIND VARIABLES

[SanityInAnarchy]

*facepalm*

Really?

First, Base64-encoding any input you receive from a user is going to be exactly as effective as quote-escaping any input you receive from a user -- that is, it works until you forget to do it. Except your method has the added bonus of increasing the amount of storage and making maintenance a headache.

Second, WTF does "rock the DB" mean? And even if you're building strings manually, why would you deliberately concatenate user data in there, instead of refactoring/debugging your strings into prepared queries? For that matter, are you aware that there are awesome APIs for SQL databases which don't require you to write SQL all the time, yet allow plenty of refactoring/debugging?

I mean, really, this is like avoiding email viruses by printing, then scanning, any email before you read it. Effective, but it makes my eyes bleed.

Re:USE BIND VARIABLES

[SanityInAnarchy]

This hack in particular isn't a question of the design of anything. It's a bug in their website code, and a damned stupid bug at that -- one which, as MoNsTeR suggested, could've been avoided by adopting a slightly different coding style (bind variables) which is faster with many databases, and completely avoids SQL injection, which is what happened here.

The LIKE example I gave was just to show that bind variables don't automatically make you secure, but it's irrelevant to what actually happened here. But still, it's a lot easier to pay attention to whether you're doing stupid things with user input (like passing it unescaped into a LIKE query) when you don't also have to wonder if Bobby Tables will ruin your day.

Yo Dawg

[mrstrano]

I herd you like Sql, so we injected Sql in your Sql so you can have Sql while you code MySql

Re:Yo Dawg

[JAlexoi]

Should they change MySQL to PwnSQL?

Re:Yo Dawg

[MarkRose]

An SQL statement walks into a bar and sees two tables and says, "Hello, may I join you?"

Re:Yo Dawg

[Sparks23]

Honestly, "YourSQL" seems more accurate than "MySQL" given that apparently even the developers can't keep control of their own database. ;P

Re:Yo Dawg

[smellotron]

One of the tables replies, "Naturally."

Re:Yo Dawg

[MarkRose]

InnoDBody knows the injections I've seen,
InnoDBody knows my sort order
InnoDBody knows the injection I've seen
Shoulda used MyISAM!

Re:Yo Dawg

[auLucifer]

Wow. That was so lame I had to lol. Thank you for a good Monday morning /. laugh

Re:Yo Dawg

[Tablizer]

Tell us about when Cartesia walks in.

Re:Yo Dawg

[MarkRose]

Oh René! I saw him. He was a bit out of his head, walking around all uncoordinated. I think he had already been drinking a while.

Re:Yo Dawg

[MarkRose]

Pardon the grammatical gaff, but don't you mean YourSOL? :-)

Re:Yo Dawg

[Shikaku]

http://lmgtfy.com/?q=mysql+table+join

Too funny

[danielcolchete]

After I finished visit all the funny sites I usually go to daily, that title made laught much much more than all of them.

This reminds me of the time...

[djpretzel]

... our local file station burnt down.

The work of a lonely developer

[danielcolchete]

Even inside a big team of a big company it is amazing how so many people are working by themselves. That's the kind of error that a simple code review by an experienced programmer would have avoided (use bind variables/prepared statements).

Re:The work of a lonely developer

[jd]

Quite possibly on the lone programmer, almost certainly on the code review. The NSA has some nice whitepapers on how to prevent SQL injection attacks, though they could really be summarized as "follow parent post's advice".

Re:The work of a lonely developer

[Lorien_the_first_one]

No kidding. I hate working by myself. I think I would really enjoy working in a team where I can bounce ideas and solve problems together.

Re:The work of a lonely developer

[Eunuchswear]

The NSA has some nice whitepapers on how to prevent SQL injection attacks

That is so fucking sad. Imagine your first day at work at the puzzle palace, expecting to work on some shit hot, high tech, super secret stuff and they say "write a paper on how to avoid SQL injection attacks."

Re:The work of a lonely developer

[TheLinuxSRC]

You make a good point unless this hack was intentional. Brilliant move by Oracle, really -- upsell Oracle DBs because MySQL will simply never be secure enough; I mean look at their own site being hacked.

Re:The work of a lonely developer

[hesaigo999ca]

I agree, but the bottom line is most companies do not want to spend the extra cash, and seriously they need too....
I have seen way to many BIG companies take small company measures, until they are hit by fraud, then they panic, and it's like...what did you think was going to happen?

Well ...

[lennier1]

Could've been worse. Imagine something like this had happened to Zend!

Re:That's Not Ironic

[6031769]

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that's hypocrisy, not irony. Try again.

Re:That's Not Ironic

[NoOneInParticular]

If a website gets hacked, it is sad. If the website in question is the home of one of the products that is commonly used by websites, it is already ironic. Apparently even the builders of this product don't know how to secure a website using their product.

Too bad

[93+Escort+Wagon]

Too bad it's not "unbreakable" like Oracle's other database...

Re:Too bad

[KiloByte]

Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.

I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.

Re:Too bad

[93+Escort+Wagon]

Yeah, that's why I had it in quotes. I could've added a giant smilie or something, I guess...

Re:Too bad

[sproketboy]

Only on /. would a tin foil hat comment like this get modded up.

Re:Too bad

[dkleinsc]

Yeah, they might convince more people to switch to PostGres!

Re:Too bad

[mobby_6kl]

Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.

I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.

Yeah but so does everyone who's ever worked with databases and doesn't have their head stuck completely up their ass. Let's pray this piece of shit is dead and buried soon.

Re:Too bad

[marcosdumay]

Yes, because people within a company never, ever go out of their way to get some money.

We should be sane people, and expect companies to act in a way that is less lucrative, not more.

Re:Too bad

[marcosdumay]

I'd guess that anyone that wasn't convinced by the takeover is a lost case anyway.

Re:That's Not Ironic

[Trebawa]

There are several definitions of irony, you know. One is an outcome of events contrary to that which might have been expected. You would expect a website concerning SQL to be well-protected against SQL-injection; in such a situation, an attack of this kind would not succeed. The attack did succeed, hence the irony.

Yes it is

[pavon]

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that is hypocritical. Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation. The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Re:Yes it is

[glwtta]

The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Having used MySQL, I don't see anything unexpected here.

Re:Yes it is

[Ephemeriis]

Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation.

I hate the whole "situational irony" thing... It's bullshit. Situational irony didn't exist until a crop of kids were poorly educated in what irony actually is, and then Alanis wrote her song, and everybody was running around calling everything ironic. It wasn't actually ironic in any way... But trying to correct everyone under the age of 20 in America is a losing battle... So they gave up and said "yeah... it's a different kind of irony..."

Yes, I know, language is a consensus. It grows and changes over the years. And whether I like it or not, "situational irony" now exists. But that doesn't change the fact that it's wrong.

Just like all those folks who call their computer the "modem" or "hard drive" are wrong.

Re:Yes it is

[DieByWire]

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that is hypocritical. Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation. The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Excuse me, is this the right room for an argument?

Re:Yes it is

[Daniel+Dvorkin]

The situational meaning of "irony" is very old and well-established, and in fact probably predates the linguistic meaning. Look it up, and don't try to impose your own ignorance on everyone else.

Re:Yes it is

[Just+Some+Guy]

The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Actually, it's exactly what I would expect.

Sincerely,
Smug PostgreSQL bigot

Re:Yes it is

[Doc+Ruby]

No, hypocrisy is holding everyone else to a behavior standard, whether by words or otherwise, but violating that standard yourself. Hypocrisy is ironic when the hypocrite uses words to hold others to the standard.

Just because one is vulnerable to a weakness in one's defining characteristic doesn't make damage by that weakness ironic.

Re:Yes it is

[siride]

Now THAT's irony!

Re:That's Not Ironic

You would expect a person correcting the summary's definition of irony to be aware that there are multiple definitions of irony. The grandparent was clearly ignorant of this fact, thus making the comment meta-ironic.

Re:That's Not Ironic

[WrongSizeGlass]

Merely related ideas are not "ironic". Ironic is when one's words say one thing and one's actions another that contradict it. If MySQL.com claimed SQL injections in MySQL were impossible, then this attack's success would be ironic. If MySQL.com attacked some DB with a SQL injection, that would be ironic. Not all coinciding events are "ironic".

So it would be ironic if MySQL.com was hit with an SQL injection if they were using MS SQL for their server DB?

Does xkcd explain it?

Like this?

Re:Does xkcd explain it?

[Tridus]

I have that comic taped to my door. Any programmer who walks by, reads it, and doesn't laugh is someone I watch VERY carefully when they write any code that touches a database.

Re:Does xkcd explain it?

[roman_mir]

On the other hand if the same guy walks by often and laughs at that every single time, I would just watch VERY carefully to make sure they don't bring in a firearm.

Re:Does xkcd explain it?

[adamofgreyskull]

Firstly, a little tongue-in-cheek lambasting of xkcd and, by extension, Tridus hardly constitutes a troll, unless you think trolling is vehemently expressing any opinion that conflicts with /. groupthink? My post was closer to a flame, but it would be thought a pretty tame one anywhere but my Grandmother's sewing circle. Also Real trolls are much more subtle than that. Maybe once you've been on the internet a while you'll learn the difference. ;) (JOKE)

Anyway, back to my point: humour is just about the most subjective thing on the planet. xkcd can be funny, but I consider the "Bobby Tables" comic to be about as funny as when a technical book makes a reference to Monty Python in the footnotes, i.e. not funny. At all. Do I think Monty Python is funny? Yes. Do I think quoting Monty Python is funny? No. Do I think someone making a reference to something funny is in itself funny? No.

The person I was describing in my original reply to Tridus was me. You see, I identify with those of his programmers who don't laugh. One dry half-smile when it was first posted, followed by NEARLY FOUR YEARS of seeing that stupid fucking thing linked on Slashdot and elsewhere, what seems like every time a story summary or a comment contained "SQL"

Oh and if you think I'm adopting a contrary position for the fun of a flamewar....why? Because humour is objective? Because humour is subjective but that all Real Geeks find xkcd #327 funny? Rubbish. I honestly don't think that comic is funny and I'm not the only one who thinks so:

http://xkcdsucks.blogspot.com/2008/05/did-i-say-webcomic-i-meant-webreference.html
http://xkcdsucks.blogspot.com/2008/03/guess-what-i-am-imagining-if-something.html

Oh and this doozy of a comment from the aforementioned xkcdsucks blog says it all:

aloria said...
Man, xkcd has become so boring and lame that it's actually sapped my will to snark on it. The only thing that works me into a lather anymore is when people incessantly link to the "Bobby Tables" comic every time SQL injection comes up on a message board.
July 10, 2009 12:29 PM

That comment is from 2009, posted nearly 2 years ago, and bear in mind that was almost 2 years after the comic was first posted. I'll bet aloria has killed herself by now...

Re:Does xkcd explain it?

[minus9]

Sounds like someone has a case of the Mondays.:(

Re:Does xkcd explain it?

[kangsterizer]

I have that comic taped to my door. Any programmer who walks by, reads it, and doesn't laugh is someone I watch VERY carefully when they write any code that touches a database.

or someone who saw this joke linked a thousand times - can't laugh every time after that!

Re:Does xkcd explain it?

But it's wrong. You shouldn't sanitize your database input; you should code in a way that makes sanitization (I hope that's a word) unnecessary. The problem with sanitizing input is that you'll get it wrong eventually, so you should do what the first commenter above suggests and use bound variables.

(That's not to say that sanitizing is bad in general. Ideally, you should mimic Perl's taint mode and always treat user-supplied data as tainted until it was specifically, positively matched against a regex (or several) describing what's allowed; in other words, use a (regex-based) whitelist, and don't think about what you want to filter out (you'll always miss something!) but rather about what you want to let in.

Re:Does xkcd explain it?

[Lorien_the_first_one]

Thank you. That was worth about 2 minutes of laughter. Nice way to start a day.

What year is it?

[glwtta]

SQL injection attacks? What, is it 1998 again all of a sudden?

Are there really still people out there mashing user input together into a string that they then feed to the database?

Why would you even do this - it's not easier, the performance is worse, and it certainly doesn't make for more readable code.

This level of ineptitude is just shocking.

Re:What year is it?

[smellotron]

In related news, teenagers are still bad at driving! Won't they ever learn proper lane usage?

Re:What year is it?

[francium+de+neobie]

The thing is, if you have 100 engineers working on your code, and they write or modify 200 lines of code every day - it's very hard to guarantee there's not a single line of vulnerable SQL code written over 3 years. It only takes one mistake to get your server compromised.

Re:What year is it?

[Software+Geek]

When interviewing people for QA positions, I routinely ask "Do you know what an SQL injection attack is?"
I have never yet interviewed a candidate who answered yes.
So, then I explain what an SQL injection attack is, and ask how they would test for vulnerability to one.
Almost without exception, the answer is "I guess I would try entering some special characters and keywords into the GUI, and see what happens."

Re:What year is it?

[glwtta]

100 engineers, for mysql.com?

Simple solution - fire the 80 incompetent ones, the other 20 will be able to get a lot more done. Heck, also give them 1/4 of the money you were wasting on the dead weight.

Re:What year is it?

[discord5]

When interviewing people for QA positions, I routinely ask "Do you know what an SQL injection attack is?"

Hahaha, reminds me of what I used to do to interns. We used to get a bunch of interns every year, and every year we'd have them develop small web applications for internal use. They'd work on their project and after a few weeks we'd come in and evaluate their work, steer them in the right direction (if that wasn't necessary earlier) and do a few tests.

The first thing I always asked was "Do you have a backup?" and after the inevitable googling of the mysqldump command I'd be an utter bastard and sneak in a DROP TABLE, or DELETE FROM statement in the URL bar, right after id=x, and surely enough most of the times it would work.

"It looks really great, but I think there's a problem with it. Maybe you want to check the logfiles to see what happened." to see if they'd see what was the problem, and if they didn't I would explain an SQL injection attack to them. Few of them managed to find the solution on google, but most immediately suggested such things as "I'll check for ; in the string" which inevitably led to me trashing their tables about 10 minutes later. I have to say, once they had their tables dropped twice they became real careful of permissions and handling SQL statements.

In a way I hope they learned something from having a complete bastard as a mentor, although I'm sure that a few of them have already forgotten about that one time a single statement ruined their database. Oh well...

Re:What year is it?

the performance is worse

Not always. I've seen an example firsthand where a dynamically created string substantially outperformed the prepared version of the *identical* query, both in the EXPLAIN PLAN and when the query was run. The DBMS? None other than Oracle 10g. It often seems like you have to be an experienced DBA to get the query optimizer in Oracle to come up with a sane access plan. There are an awful lot of queries where I work that involve a substantial amount of hinting to get Oracle to behave properly.

Re:What year is it?

[El_Oscuro]

Obligatory: xkcd.

Re:What year is it?

[francium+de+neobie]

It doesn't even take 20 engineers over 3 years to make such a mistake. It only takes one - even you can and will do it. Just imagine yourself doing simple addition with numbers in the range [0, 10] every day - and you do 1000 such stupid math questions on a good day and 10000 during crunch time. And you keep doing that for 3 years. There has to be one day, you do one of these additions wrong - not because you're bad at maths - but because you're a human. I understand perfectly that you'll use an ORM or at least SQL bind, or whatever method you prefer to prevent SQL injections... but just as it's possible to leak memory in Java or any GC language, you're bound to find an uncommon or plain stupid way to make a mistake after a while.

Re:What year is it?

[Synn]

Where are these jobs people are only writing 200 lines of code a day? I could put in a single 5 hour day and then take the rest of the week off.

Re:What year is it?

[Shados]

Job where you're not working as a dumb code monkey and where the design of the application is more complex than its implementation. With modern tools and languages, an entire application can be a few hundred or thousand lines of code top. Getting the business requirements, the look & feel and design right can still take months. End result: i have weeks where I'll write maybe 10 lines a day.

Re:What year is it?

[glwtta]

I think you're giving yourself too much credit, a complete bastard wouldn't have asked about backups - that way, it's two lessons in one.

Re:What year is it?

[EricWright]

If SQL*Injection isn't bad enough, think on this. Writing a single query with bind variables can be parsed once. Then it's just a matter of repeated bind/execute/fetch. Character strings mashed together have to be parsed EVERY SINGLE TIME (assuming you're doing something sane like enforcing exact cursor sharing).

select * from foo where bar = 'ABC'
and
select * from foo where bar = 'DEF'

have different hash values.

select * from foo where bar = :1

has its own hash value and can be reused for all values of :1.

Disclaimer: The above post represents the behavior of Oracle DB. I assume most SQL RDBMS engine work in a similar fashion.

Re:That's Not Ironic

[Troll-Under-D'Bridge]

Unlike the reserved words of a computer program, words in a natural language have a wide latitude of uses, from the strict to the colloquial. Here, I see the "irony" in how a site designed to promote some type of "SQL" turns out to suffer from an SQL flaw, in effect negating the product's virtues in the eyes of those who like to skim through IT news headlines. It's similar to the way you expect a dentist to have good teeth.

Ironic is when one's words say one thing and one's actions another that contradict it.

I think you're thinking of another word: hypocrisy, e.g., a politician who claims to stand for morality but goes out with a hooker.

Even more concerning

[HuckleCom]

So what they have a ton of usr@% grants on an open-to-the-world server? No vpn? jesus ....

Re:That's Not Ironic

[LordNacho]

Meh, security is a bit of a cross-cutting concern. People who are thinking about how read/write rows of data quickly might not have given it much thought that their product can be abused in this way.

I will give you that injection attack is a rather basic hack they should have thought about.

Re:That's Not Ironic

[LordLucless]

Ironically, the OP correcting someone else for not using ironic correctly is both hypocritical and ironic.

Re:That's Not Ironic

[MarkRose]

Screwing up irony is the only thing that unleashes the linguists with such ferrousity.

Re:That's Not Ironic

[nmb3000]

Merely related ideas are not "ironic". Ironic is when one's words say one thing and one's actions another that contradict it.

Like rain on your wedding day?

Password hashing + salt?

[Coolhand2120]

That simple passwords were revealed shows a lack of understanding or incompetence. The reason only "simple" passwords were revealed was from a poorly made SHA1 hashing function. Yes this is pure conjecture, but it is the only scenario that fits the facts.

The hackers acquired the database with the hashed passwords. Then the hackers ran the password hashes against a rainbow table which returned the matches for the simple passwords. Now the reason this is incompetence or ignorance is the simple inclusion of a half dozen or so special characters appended to the back of the password during the hash function would make these passwords unmatchable to all but the largest, slowest (super computer realm) rainbow tables. That's why the 'strong' passwords were not cracked.

To defeat all but the largest rainbow tables everyone uses this method is called SHA1+Salt, not my idea but a damn good one. Using salt in your SHA1 hash function prevents this sort of thing from happening. Imagine how many other accounts on other systems are now compromised!

Now there is a chance that the salt string was compromised also, but that's probably not likely because the salt is not (in my experience) is not stored in the database. Allowing SQL injection on a damn SQL site is bad enough, but could reasonably be a single bad coder, having such poor security protocols is incompetence on a grand scale.

I'm just glad the amateur hour over at MySql.com doesn't have my l/p.

Re:Password hashing + salt?

[BCoates]

The salt isn't a second secret, it's there to prevent the use of a pre-constructed rainbow table for the standard hash functions. Without a rainbow table, you can still do dictionary attacks of weak passwords--and there is no way to prevent this short of not using passwords for authentication. This only harms people who use guessable passwords and re-use passwords between sites.

Re:Password hashing + salt?

[Coolhand2120]

You can very easily convert a rainbow table into a rainbow table + predefined salt, a simple SQL statement and 10 minutes later your 1TB rainbow table becomes rainbow+salt. If you don't keep your salt a secret you may as well not use it.

Without a rainbow table, you can still do dictionary attacks of weak passwords

That would only work if you had the hashing function with the salt string. If you're talking about plain old brute force attack against the hashes, well that won't work without the hash function that has the salt string. You certainly can't do brute force attacks against a live port, someone would (god help us - hopefully) notice you. You would need a functioning copy of the hash function with the salt, the entire source code (where the salt is kept) for the site would need to be compromised not just he database.

Now it may well be that the entire source code + SHA1 Salt for the site was compromised. If that's the case, I stand corrected.

Re:Password hashing + salt?

[vgerclover]

There is one incorrect assumption in your reasoning. You don't have to use one salt for all passwords, you can easily use a different salt per entry, and store it along side the password. This way, even if your database is compromised, and the salts are know, you still have to create a different rainbow table for each entry to be able to try and guess the password. This effectively kills the ability of the breacher to fish around for insecure passwords.

Re:Password hashing + salt?

[ianare]

Quite correct, but if the attacker is able to do a dump of your DB, the use of a quickly generated hash means that given enough time, your passwords will eventually be cracked. This is especially true now that GPUs can be used quite effectively for password cracking.

Combine random hashes with a slow algorithm like bcrypt (the one-way hash type, not the 2 way encryption) instead of md5 or sha1 and you effectively increase the time needed to crack your password database to years instead of weeks ...

Re:That's Not Ironic

[MarkRose]

Like Oracle not seeing it coming?

Re:That's Not Ironic

[pankajmay]

...unleashes the linguists with such ferrousity.

And of course spellings... try ferocity.

Re:That's Not Ironic

[realityimpaired]

If we're going to get on a grammar nazi binge, then it's worth pointing out that one of the definitions of Irony is actually exactly what the GP described... (merriam webster's exact words are "the use of words to express something other than and especially the opposite of their literal meaning".) He may not have expressed it properly, but I do think that was the meaning he was trying to get at.

Though interestingly enough, yet another definition of Irony is an incongruency between an expected result and an actual result... so in other words, MySQL's website being hacked with an SQL injection attack *is* ironic, because one would expect the makers of MySQL to have some idea of how to secure it properly. (it's not even that hard to lock down, which makes it even more humorous).

Though I must say... correcting somebody's already correct use of the word irony? Absolutely classic....

Re:That's Not Ironic

[atomicbutterfly]

Why is "irony" so damn hard to define? Or more accurately, to define in such a way that this confusion doesn't keep happening?

Re:That's Not Ironic

[realityimpaired]

hehe... wish I hadn't replied... that is a good one. :) mind if I... um... "borrow" it next chance I get?

Re:That's Not Ironic

[cforciea]

Really, the people that think it is cool to tell people that they are using "irony" incorrectly are more frequently wrong than the people they are trying to prove linguistically inferior. You should look into what situational irony is and why it has been used correctly in this situation.

FUCK. OFF.

[evanism]

Go die in a hole. What complete, utter and total fucking twat.

Re:That's Not Ironic

[dr2chase]

I think your pun detector is a little rusty.

Re:That's Not Ironic

[adamofgreyskull]

Whoosh.

Hint: He's punning on "ferocity" and...ya know..."ferrous".

HAHA FAIL

[sproketboy]

Loser Database.

Re:That's Not Ironic

[sstamps]

The above is what makes me really enjoy reading /. :)

I think my funny bone broke under the strain..

You can never sanitize inputs enough.

[topham]

You can never sanitize inputs enough.
Repeat that to yourself 1,000 times. It's impossible(*).
Parameterized queries / bind variables are the only valid solution.

If you keep convincing yourself you don't need to use bind variables, and that you can sanitize your inputs enough you've already failed.

* - Of course it's mathematically possible to sanitize inputs enough; because theory, and reality don't have a damn thing to do with each other. Reality says you will fuck it up and the hackers will find it in less time than it takes you to read the code.

Re:You can never sanitize inputs enough.

[Eivind]

It's a pity that SQL allows pure string-concatenation construction of queries even. Parametrization is a lot safer and saner, and even has performance-benefits if the database-engine is clever enough to recognize that it's the same query, just with different parameters. (in that case, it doesn't need to create a query plan anew - it can reuse the existing one and save time)

But there's some semi-common constructs that are hard or impossible to do with parametrization. How do you do it for "select $COLUMN from myTable" or, perhaps more common ".... order by $COLUMN"

-sometimes- sanitized inputs is the best you can do. But 99% of the time, parametrization, is the way to go.

Re:You can never sanitize inputs enough.

[andrea.sartori]

How do you do it for "select $COLUMN from myTable" or, perhaps more common ".... order by $COLUMN"

You may use the cat views.
...oh wait, you'd need oracle for that :/

Re:You can never sanitize inputs enough.

[doom]

It's a pity that SQL allows pure string-concatenation construction of queries even.

There is no way to not allow it. Think about this for a minute.

Re:You can never sanitize inputs enough.

[topham]

The trick to handling specialized, user configurable sort and column selection isn't all that hard; if you can't do it any other way you use a Table to translate a string like "SERIAL NUMBER" to the fieldname "SERIAL_NUMBER". The data actually used from the table is created and maintained by the developer and is therefor trusted. The field displayed, or even entered by the user is used for selecting the appropriate field to build the query. The users input is NEVER used directly to build a query.

This means you can build the initial query using bind variables, and use the results of the query to build whatever dynamic queries you need.

That's rich...

[davesque]

That's rich...

Re:That's Not Ironic

[oheso]

hypocrisy, e.g., a politician who claims to stand for morality but goes out with a hooker.

No, that's "redundancy".

Re:That's Not Ironic

[I(rispee_I(reme]

It's similar to the way you expect a dentist to have good teeth.

Or a barber to be neatly-trimmed?

Doesn't make much sense on consideration- if there were only two dentists in town, I'd go to the one with the worst teeth, as the one with superior teeth is enjoying the services of his competitor.

Re:That's Not Ironic

[_Sprocket_]

We like repartee.

Take it a step further. We can learn from this.

[HiggsBison]

bobby-tables.com: A guide to preventing SQL injection

Re:That's Not Ironic

[Doc+Ruby]

No. None of that Morrisette babble is ironic.

Re:That's Not Ironic

[Doc+Ruby]

No, irony is what I described it as, and not what the person I corrected used it as.

The people making up stats like you just are far too many on Slashdot (as elsewhere), regardless of whether there are more of them than there are people citing stats correctly.

I have no problem expecting that MySQL.com will be compromised by a vulnerability in MySQL. That is not ironic, situational or otherwise. It is two entirely consistent conditions, not any that defy truly reasonable expectations.

Re:That's Not Ironic

[russotto]

Why is "irony" so damn hard to define? Or more accurately, to define in such a way that this confusion doesn't keep happening?

A1: Because Alanis Morissette screwed it up forever.
A2: Because there are several types of irony, which are only loosely related to each other.

Ownership

[perlchild]

Cue the "well this never happened when they weren't owned by oracle" in 5..4..3

Re:Ownership

[marcosdumay]

Well, this never happened when they weren't owned by Oracle, and hadn't their site rewriten by Oracle's experts.

Ok, I run a little bit out of the script there, but the original didn't have the proper gravity.

Re:That's Not Ironic

[pankajmay]

I think your pun detector is a little rusty.

True that! I think by the time I wrote that, the irony of the matter was completely lost on me!

Re:That's Not Ironic

[dotgain]

Wow. This is why I come to /.

Where's the dot?

[zooblethorpe]

You're missing the function to add the dots after the slashes.

Re:That's Not Ironic

[hellop2]

Now you guys are steeling each others' jokes.

Re:That's Not Ironic

[lennier1]

MySQL.com is just related to the database.
Ironic would be if a beginner-level screw-up like this happened to a language distributor like Zend.

Expensify?

[theygoto11]

Do you think Expensify will mind if I keep the mySQL experience on my resume?

JPA User

[cowboy76Spain]

What is this "database" thing I keep hearing about? :-p

Re:That's Not Ironic

[dave420]

Which is ironic. Don't ya think?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Rocket surgery is established area of science

[Dunbal]

The comment was "it's NOT rocket surgery", and I therefore responded with an equally fictitious "brain science" comment. There is no "brain science". There is the study of the mind - psychology/psychiatry, and the study of nerves - neurology/neuroscience. But as far as I know, there are probably only 10 encephalologers in the world, and no one has managed to meet them because they fall asleep within 30 yards of them.

Could be intentional on Oracle's behalf

[bl8n8r]

Maybe create a little negative press for MySQL  and in the process Oracle looks better.

ignore this...

[surgen]

posting to kill a mis-clicked comment moderation

Re:That's Not Ironic

[cforciea]

The cool thing about situational irony is that expectations are a personal matter, so if GGP finds it ironic, he is using the term correctly whatever your expectations were. In other words, you may not find it ironic, but it is still not a misuse of the term in the sense that you are trying to imply. It is like you are trying to argue that he is misusing the term "delicious" when he applies it to ice cream because you don't personally enjoy ice cream.

Unfortunately for you, there is no SI unit for either irony or deliciousness, so you'll have to find some other arcane grammar rule to correct in other people's posts to feel good about yourself. I'd suggest who/whom, split infinitives, or dangling participles (a few of my favorites). Just the other day I made a comment regarding a poster using "loose" when they meant "lose", and I even got to make a reference to his mom during the course of the correction, so there are plenty of opportunities if you just apply yourself.

Re:That's Not Ironic

[An+ominous+Cow+art]

Stop the ferrous wheel; I want to get off.

Re:That's Not Ironic

[Troll-Under-D'Bridge]

That's why I said "expect". However, I'd still expect a dentist to have good teeth, even in a two- or one- dentist town. I expect a dentist to know all the tricks of having good teeth, like flossing, brushing after every meal, etc. If he sees a nasty cavity that could lead to bad teeth, I expect him to go and visit (even to the point of going out of town) another dentist who's just as good or a just a wee bit worse than him. Unless he's a self-schooled dentist who doesn't belong to any medical association, you'd expect him to have some contacts. Barbers probably are different since it's not the sort of profession where you have to pass an exam to get licensed, "high-end" hair "stylists" excepted.

Similarly I'd "expect" the MySql site to be free from, at the very least, exploitable security holes in their "star" product, even if that can never be true in practice. Image counts for a lot.