,
13 tweets,
6 min read
Read on Twitter
Right, #sqli or #sqlinjection.
Let's talk about it a little.
The concept is simple. Your code allows someone to place additional SQL commands in it. That "injected" code enables data access and/or system hacking (depending on the security in place).
Let's talk about it a little.
The concept is simple. Your code allows someone to place additional SQL commands in it. That "injected" code enables data access and/or system hacking (depending on the security in place).
The problem, and the solution, has been well defined since 1998.
Simply put:
Parameterize the query
Escape the input
Have proper security in place
Use correct data types
In a nutshell. There's a ton more details, but that covers the basics.
Simply put:
Parameterize the query
Escape the input
Have proper security in place
Use correct data types
In a nutshell. There's a ton more details, but that covers the basics.
If you want a more thorough overview of what #SQLi consists of and you don't feel real nerdy at the moment, start with Wikipedia. They have it covered: en.wikipedia.org/wiki/SQL_injec…
If you want to get good and nerdy on #SQLi, I'd suggest taking a look at the OWASP definitions, and code samples, and reports: owasp.org/index.php/SQL_…
I'm starting off with all these definitions and links because I can't emphasize enough just how well known the problem space around #SQLi is. We've long ago left behind the idea that this can be a surprise for anyone.
Yet. Here we are. A problem that is actually older than my children with a solution just as old is still causing problems today.
Want to get really angry? Read how some developers and admins are exposing children's data through #sqli
theverge.com/2019/4/27/1851…
Want to get really angry? Read how some developers and admins are exposing children's data through #sqli
theverge.com/2019/4/27/1851…
Yeah, #sqli is not just about your banking data getting hacked or, oh, I don't know, maybe all your hotel information: calgarysun.com/news/local-new…
or your college data: campustechnology.com/articles/2019/…
or your college data: campustechnology.com/articles/2019/…
I stuffy this stuff quite a bit. Depending on how you read the data, #SQLi is not the biggest risk out there. In fact, depending on your industry, it might not be in the top 5. However, across industries, it is the single most common hack.
Or study
So, why are we still dealing with this issue?
The problems are deep and wide. Too many new developers without knowledge. Lack of institutional understanding of the problem. Speed of delivery over quality of delivery.
Those are just a few.
The problems are deep and wide. Too many new developers without knowledge. Lack of institutional understanding of the problem. Speed of delivery over quality of delivery.
Those are just a few.
Any or all of those is the cause. Let's add one more cause for #sqli
Hello World examples.
We don't do a good enough job building example code. I say this as someone who is guilty of bad example code (hi @Hugo_Kornelis )
Hello World examples.
We don't do a good enough job building example code. I say this as someone who is guilty of bad example code (hi @Hugo_Kornelis )
We're showing people bad habits. Those bad habits get built into the systems and getting released into the wild.
There, it's not sophisticated hackers that look like this:
There, it's not sophisticated hackers that look like this:
No. The problem with #sqli is that the problem is so very well understood and the ability to exploit it so utterly easy, that the hackers look like this:
