, 13 tweets, 6 min read Read on Twitter
Right, #sqli or #sqlinjection.

Let's talk about it a little.

The concept is simple. Your code allows someone to place additional SQL commands in it. That "injected" code enables data access and/or system hacking (depending on the security in place).
The problem, and the solution, has been well defined since 1998.

Simply put:
Parameterize the query
Escape the input
Have proper security in place
Use correct data types

In a nutshell. There's a ton more details, but that covers the basics.
If you want a more thorough overview of what #SQLi consists of and you don't feel real nerdy at the moment, start with Wikipedia. They have it covered: en.wikipedia.org/wiki/SQL_injec…
If you want to get good and nerdy on #SQLi, I'd suggest taking a look at the OWASP definitions, and code samples, and reports: owasp.org/index.php/SQL_…
I'm starting off with all these definitions and links because I can't emphasize enough just how well known the problem space around #SQLi is. We've long ago left behind the idea that this can be a surprise for anyone.
Yet. Here we are. A problem that is actually older than my children with a solution just as old is still causing problems today.

Want to get really angry? Read how some developers and admins are exposing children's data through #sqli
theverge.com/2019/4/27/1851…
Yeah, #sqli is not just about your banking data getting hacked or, oh, I don't know, maybe all your hotel information: calgarysun.com/news/local-new…

or your college data: campustechnology.com/articles/2019/…
I stuffy this stuff quite a bit. Depending on how you read the data, #SQLi is not the biggest risk out there. In fact, depending on your industry, it might not be in the top 5. However, across industries, it is the single most common hack.
Or study
So, why are we still dealing with this issue?

The problems are deep and wide. Too many new developers without knowledge. Lack of institutional understanding of the problem. Speed of delivery over quality of delivery.

Those are just a few.
Any or all of those is the cause. Let's add one more cause for #sqli

Hello World examples.

We don't do a good enough job building example code. I say this as someone who is guilty of bad example code (hi @Hugo_Kornelis )
We're showing people bad habits. Those bad habits get built into the systems and getting released into the wild.

There, it's not sophisticated hackers that look like this:
No. The problem with #sqli is that the problem is so very well understood and the ability to exploit it so utterly easy, that the hackers look like this:
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Grant Fritchey
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!