Slashdot Mirror

← Back to Stories (view on slashdot.org)

The History of SQL Injection, the Hack That Will Never Go Away (vice.com)

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes with this history of SQL injection attacks. From the Motherboard article: "SQL injection (SQLi) is where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It's been used to steal the personal details of World Health Organization employees, grab data from the Wall Street Journal, and hit the sites of US federal agencies. 'It's the most easy way to hack,' the pseudonymous hacker w0rm, who was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a 'few hours.' But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of corporations and governments alike, SQLi is relatively easy to defend against. So why, in 2015, is SQLi still leading to some of the biggest breaches around?"

6 of 193 comments (clear)

  1. Everyone has to learn about it. by Anonymous Coward · · Score: 2, Insightful

    Each year brings a fresh crop of computer science graduates into the industry, barely any of them having a clue about attacks like this. Many of them will make these mistakes and learn about defending against them the hard way.

    Maybe a few schools teach about this now. Maybe a few companies will pair senior devs with new devs to transfer this knowledge on the job. Even so, there will be enough new programmers who don't know this, and enough companies who eschew senior talent as a cost-savings measure, that this vulnerability will continue to rear its ugly head.

    1. Re:Everyone has to learn about it. by unencode200x · · Score: 4, Insightful

      It's irresponsible to continue to do this. With stored procedures, ORMs (there are some good ones out there, I use Linq a lot), and parameterized queries available in all the major languages I can't help but wonder if people are just incompetent.

      Also, validate and sanitize your input data man. If you're writing code for the web you *have* to do this, no excuses. Albeit, most "web developers" I've seen don't have a clue. Now, get off my lawn!

      --

      Chance favors the prepared mind.
      Perfect is the enemy of good.
    2. Re:Everyone has to learn about it. by OzPeter · · Score: 4, Insightful

      It's irresponsible to continue to do this.

      I was browsing Stack Overflow the other day and looked at an SQL/PHP based question. The poor guy asking the question was obviously a n00b who was just starting to code, and had googled around to find a solution to his problem but it wasn't quite working for him (and hence the SO question).

      From what I saw the problem wasn't that he was a stupid n00b, it was that his googling had turned up horrendously bad PHP code (using ancient DB connection style code, plus totally SQL injection ready) and he didn't know the difference between that code and best practices. So it seems that part of the problem is the act of using google itself and how good code and bad code examples are presented as equals solely based on what ever google's page rank algorithm de jour is. And I can't see how you can fix that without purging google of all the bad code examples.

      --
      I am Slashdot. Are you Slashdot as well?
    3. Re:Everyone has to learn about it. by gbjbaanb · · Score: 3, Insightful

      The problem is inherent in many systems so you will always make a mistake until the day that you put all your queries into stored procedures.

      Treat the DB as a generic object pool of crap and it'll be that. Treat it like its a precious storage system with its own (customisable) API and you'll do far better.

      But of course, slapping SQL together in the client and sending it to the DB to parse and execute is so much easier everyone does it.

  2. Re:PHP by phantomfive · · Score: 3, Insightful
    There's a quote from Theo de Raadt that is relevant here:

    “When you know exactly what the APIs are, you’ll spot the bugs very easily. In my mind, it is the same as any other job that requires diligence. Be careful. Humans learn from examples, and yet, in this software programming environment, the tremendous complexity breeds non-obvious mistakes, which we carry along with us, and copy into new chunks of code.
    We’ve even found in man pages where functions were mis-described, and when we found those, lots of programmers had followed the instructions incorrectly”

    --
    "First they came for the slanderers and i said nothing."
  3. Pay peanuts by TekPolitik · · Score: 4, Insightful

    Because businesses think software development in general, and especially web development, is easy. They hire monkeys and pay peanuts (or sometimes even serious dollars that could get them quality of they could recognise they were being taken for a ride), and we continue to see the most basic errors being repeated across most web sites. Seriously, the quality of web developers generally is absolutely appalling.