Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Top 15 Free SQL Injection Scanners

kdawson posted more than 7 years ago | from the looking-for-trouble dept.

Security 103

J.R writes "The Security-Hacks blog has a summary of the 15 best free SQL Injection scanners, with links to download and a little information about each one. The list is intended asan aid for both web application developers and professional security auditors."

cancel ×

103 comments

Sorry! There are no comments related to the filter you selected.

asian aid (1, Funny)

User 956 (568564) | more than 7 years ago | (#19196381)

The list is intended asan aid for both web application developers and professional security auditors.

Ok, so that covers China and Japan, but what about Europe and the U.S.?

Re:asian aid (1)

Mr0bvious (968303) | more than 7 years ago | (#19196397)

I don't think it was the editor's fault. His post appears to have been hacked, most probably using some SQL injection.

Re:asian aid (1)

deftcoder (1090261) | more than 7 years ago | (#19196435)

What next? They'll blame all the dupes on SQL injection, too?

wetbacks kikes niggers (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19196385)

spics boongs chinks

Re:wetbacks kikes niggers (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19196781)

Pakis wops?

Ands what's a boong?

Re:wetbacks kikes niggers (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19196943)

a derogatory term for indigenous Australians IIRC.

Why is this needed at all? (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19196401)

If you just make sure you always use prepared SQL statements with positional arguments, you will never have any problems with SQL injection.

I suppose the over-use of PHP (which for a long time didn't even support prepared statements (does it even do it today?)) combined with stupid users that created the current situation.

Re:Why is this needed at all? (1, Informative)

koh (124962) | more than 7 years ago | (#19196457)

The DB interface in PHP5 supports positional arguments AFAIK. Now, if only the service providers would switch to PHP5, there would be less problems. Unfortunately, it seems that, at least here, the major providers are still stuck in PHP4-for-compatibility-with-existing-apps mode.

Re:Why is this needed at all? (2, Insightful)

billcopc (196330) | more than 7 years ago | (#19198043)

Gee that's an easy solution: dump the legacy apps! PHP 5's only been out for 3 years :P How hard can it possibly be to rewrite the vulnerable bits of SQL anyway ? I never really felt much of a shock when I switched to PHP5 years ago, the bulk of my coding habits were unaffected and the few things that broke involved a 5-minute fix or less.

Non Issue (1)

encoderer (1060616) | more than 7 years ago | (#19202175)

1. You can easily run both PHP4 and PHP5 on the same server. When it's done, it's usually determined by a .php5 extension or <?php5 ?> braces.
2. The upgrade from 4 to 5 CAN be quite painful if you've done a lot of OOP coding in PHP4. Nearly all of the upgrade was focused on increasing and improving OO support. Some of the changes made (like, for example, constructor naming) are backwards compatible, but most aren't.
3. This is all moot because you don't HAVE to use the Circa-php4 mysql extension, anyway. MySQLi (the Improved mysql extension) can be used with PHP4 just as well as it can be used with PHP5.

Re:Why is this needed at all? (1)

neoform (551705) | more than 7 years ago | (#19196557)

mysql_real_escape_string() has been a function going back to php4..

Re:Why is this needed at all? (2, Insightful)

ThwartedEfforts (2976) | more than 7 years ago | (#19196577)

magic quotes ain't helping though either, but I suppose seeing backslashes littering the output (as is common on many websites) is better than SQL injection. The magic quotes setting, and the concept behind and naming of the stripslashes function, is so confusing that it's best to just turn off magic quotes, don't use stripslashes, and manually make sure you either quote everything (hard) or use prepared statements (much easier).

Re:Why is this needed at all? (5, Informative)

mabinogi (74033) | more than 7 years ago | (#19196665)

It's the completely wrong answer to the problem though, as it still promotes the idea of using SQL built by string concatenation.
The result being that SQL injection is only one forgotten function call away.

Re:Why is this needed at all? (2, Insightful)

PhotoGuy (189467) | more than 7 years ago | (#19198141)

It's the completely wrong answer to the problem though, as it still promotes the idea of using SQL built by string concatenation.
The result being that SQL injection is only one forgotten function call away.


I agree. I actually find it easier to use the call with parameters, rather than trying patch together a string. Putting in the "?" parameters in the string, and listing them afterwards, pretty damn simple. I'm amazed SQL injection is an issue at all. I guess there's a lot scarier programming out there on major sites than I can possible imagine.

Re:Why is this needed at all? (2, Insightful)

GnuDiff (705847) | more than 7 years ago | (#19198803)

I think it is due to 2 reasons:

1) the string concatation technique being present in several pretty popular (and awful) PHP books, and (afai remember) in the PHP documentation itself, thus becoming defacto "standard";

2) The general ignorance of a significant part of PHP developers of any database abstraction layers and in fact anything but the magic LAMP.

Re:Why is this needed at all? (1)

smellotron (1039250) | more than 7 years ago | (#19204491)

Personally, I like either of these two case (syntax off the top of my head):
// Using PHP5's PDO
$stmt = $pdo->prepare('SELECT f1, f2, f3 FROM foo WHERE x = ?');
$stmt->execute(array($x));

// Using native Postgres calls (ADOdb does this internally)
$stmt = pg_prepare('SELECT f1, f2, f3 FROM foo WHERE x = $1');
pg_execute($stmt, array($x));

However, there are cases where prepared statements are insufficient, though they are certainly not mainstream. You can't prepare an incomplete statement. If the SQL query itself varies (e.g. what tables you JOIN and what constraints you put in your WHERE clause), you have some choices:

  • Prepare every possible query. This is secure by default, but tedious to enumerate all possibilities (in some cases increasing the chance of bugs due to duplicated SQL code)
  • Use the most detailed query, crafted in such a way that unnecessary JOINs and conditionals can be no-ops. This doesn't always work, but you can craft something like "WHERE (foo = ? OR ? IS NULL)" and pass in $foo to both parameters, to allow conditional checking of foo.
  • Dynamically generate the SQL query (it should still be parametrized). The downside is that there is no single block of text that contains the exact query, but it is consistently going to have the best performance and least duplication required.
It's perfectly acceptable for someone to say "There will be no dynamic SQL generation in this project," the same way it's perfectly acceptable to say "We don't use #define macros ever." You're just denying yourself a useful tool.

Re:Why is this needed at all? (1)

Firehed (942385) | more than 7 years ago | (#19200145)

Only helps if you use it. It's easy to forget at least once, especially in a big project.

Re:Why is this needed at all? (1)

vdboor (827057) | more than 7 years ago | (#19196605)

For a security audit of an existing code base! Or are you willing to hire someone to browse code in a month time?

I suppose the over-use of PHP (which for a long time didn't even support prepared statements (does it even do it today?))
Every language allows you to write libraries which do things properly. The language is not a limiting factor here.

Sig (0)

Anonymous Coward | more than 7 years ago | (#19196701)

9.81m/s^2

Re:Why is this needed at all? (1)

matthewbarr (840525) | more than 7 years ago | (#19196727)

I have to agree - these tools could be very useful in getting to grips with a bunch of code that's been written by someone else. However, if you're writing the app yourself, sloppy code (concatenating queries on the fly, ignoring functions such as mysql_real_escape_string(), etc.) and not validating user input are your main concerns. PHP is not the problem if used correctly!

Re:Why is this needed at all? (5, Insightful)

hclyff (925743) | more than 7 years ago | (#19196729)

Every language allows you to write libraries which do things properly. The language is not a limiting factor here.
PHP did not for a long time. And no, I don't believe that "magic quotes" allows you to write secure code properly. Any framework which relies on string concatenation for building an SQL command is inviting insecure code, because the programmer has to *actively* seek to fix injection problems. There is statistical certainty he will overlook something sooner or later. Coupled with the fact that PHP4 was (is?) prevalent compared to PHP5/6 for a long time, it just might be the single most contributing factor to why are SQL injections so common.

Re:Why is this needed at all? (1, Insightful)

encoderer (1060616) | more than 7 years ago | (#19202417)

1. Explain to me how PHP didn't allow libraries to be written? I don't understand that whatsoever. In PHP4 I'd write (and have written) a data abstraction layer that wrapped the inbuilt mysql functions, incorporating, among other things, string cleansing. The mysql library is procedural in PHP4 and below (and is both proc and oo in 5). So even if you're using <4 you can just write your own wrappers for all the functions and throw them in a file that gets auto_prepend()'ed to every page. (auto_prepend acts sorta like a generic front-controller)

2. I never developed from scratch in PHP3 (just upgraded a few applications) or below but if, for some who-knows reason why people couldn't write such function wrappers, forget not that PHP is open source. Anyone could've written an extension in C and compiled it into PHP.

3. There is nothing about PHP5 that makes injection any less likely than in PHP4 if the developer is still using the mysqli library the same as he used the mysql library in php4. And if the developer is enlightened enough to use the improvements afforded by mysqli library properly, he'd probably also be enlightened enough to realize you can use the mysqli library in PHP4 as well.

4. Nobody is developing in PHP6 yet. It just made (EARLY) beta.

5. In summary, you don't seem to know all that much about PHP. You certainly know more than most, but I don't know why you posted information that's just not true. Is it just more PHP FUD or were you just sincerely misinformed? I only even point this out because PHP gets a pretty bad rap on here even though version 5 compares favorably to any other modern web dev language. It's not in the league of ASP.Net or J2EE, but it certainly is a better language than the avg /.'er gives it credit for.

I used to avoid PHP like the plague. I was comfortable using Java and C# for web development and even an occasional line of {shudder} VBScript. What I found when I began using it was a language that was very capable when used properly.

People here give PHP a bad rap because of the PHP Developers using it. It's a great entry level language. It gives you what I call complexity on demand. It's a language thats useful for your first-time developer, he doesn't need to learn or concern himself with procedures or classes or design patterns, and also useful for an experienced developer, capable of OOD, reflection, etc.

Re:Why is this needed at all? (1)

Sancho (17056) | more than 7 years ago | (#19204379)

There's a lot to be said for learning proper programming practices up front. A language which lets you shoot yourself in the foot that easily will likely cause the student to learn bad habits which will make later languages harder to learn, and which lends itself to creating security holes. I'd definitely not learn on PHP first, unless secure practices are a part of the criteria (not the case for most self-learners who read through a book.)

Re:Why is this needed at all? (1)

encoderer (1060616) | more than 7 years ago | (#19205183)

Oh come on. The same thing (shooting yourself in the foot) could be said, nay, SCREAMED, about C. But nobody here is blaming bad programming on the language in that case. Anybody learning "proper prgramming practices" can do so with PHP just as well as she could with any other language.

Re:Why is this needed at all? (1)

Sancho (17056) | more than 7 years ago | (#19208715)

The same thing (shooting yourself in the foot) could be said, nay, SCREAMED, about C.
Absolutely. Did I say that C was a good learning language? The reason that I didn't mention C was because this is a thread about PHP, and because this is a story about SQL injection where one of the most common interfaces to the database is (wait for it)..... PHP.

And if you'll note, I alluded to the fact that you could learn proper programming practices with any language, however that requires learning aids which mention them. In schools, this is sometimes the case. In books, it's much less so. Without the knowledge that these things can be insecure, it's hard to know what to do to secure them.

Re:Why is this needed at all? (1)

FooBarWidget (556006) | more than 7 years ago | (#19196887)

Prepared statements are slower because it needs an extra server roundtrip. I've recently discussed this issue on the Ruby on Rails core mailing list [google.com] , and people mentioned this while asking why we need prepared statements.

Re:Why is this needed at all? (1)

ensignyu (417022) | more than 7 years ago | (#19197037)

You could always use client prepared statements, which is mostly the same as building your own SQL statements strings but are much cleaner and does the quoting for you.

Re:Why is this needed at all? (3, Insightful)

ceswiedler (165311) | more than 7 years ago | (#19198721)

Huh? Do you prepare your statements every time you execute them? That would certainly be slower, but if you prepare the statement once and execute it many times, the local overhead becomes minimal and the execution time in the database improves because the DB doesn't have to re-parse and re-plan the query.

Re:Why is this needed at all? (1)

FooBarWidget (556006) | more than 7 years ago | (#19199823)

"Huh? Do you prepare your statements every time you execute them?"

Uhm, if you use PHP then you *can't* cache your prepared statements (unless you do the same query many times in the same PHP run, but that's unlikely). PHP is stateless, after one run it frees everything.

"but if you prepare the statement once and execute it many times, the local overhead becomes minimal and the execution time in the database improves because the DB doesn't have to re-parse and re-plan the query."

In theory, yes. But are there any benchmarks that support this claim? Many people say this but I've yet to see any hard numbers that prove it. I wrote a little test script which inserts 300000 rows in MySQL, and using prepared statements didn't improve performance *at all*. The Ruby on Rails guys also seem to be skeptical about the advantages of server-side prepared statements. Someone mentioned that it might help on complex queries with lots of joins, but I can't find any benchmarks for such a case.

Do you know such a benchmark? I am looking for one.

Re:Why is this needed at all? (1)

Gotebe (887221) | more than 7 years ago | (#19205827)

I wrote a little test script which inserts 300000 rows in MySQL Do you know if your DB of choice has a cache of prepared statements (many do)? If no, what did you expect?

Re:Why is this needed at all? (2, Insightful)

enrevanche (953125) | more than 7 years ago | (#19198829)

I cannot answer for Ruby, but for Java/JDBC this is only true for the first call to a prepared statement. For the second and subsequent calls to a prepared statement, a prepared statement is always better or at worst equivalent. With connection and prepared statement pooling, performance can be improved dramatically.

Note that this all depends on the database and the driver, as some databases do not cache query plans or the driver does not properly coordinate the query plan with the database.

There is no simple answer, as this all depends on the database and the application.

Re:Why is this needed at all? (1)

smellotron (1039250) | more than 7 years ago | (#19204655)

Because PHP is stateless, there is no connection pooling and SQL statements must be re-prepared at ever script execution. In my experience, there are very few cases where a query gets executed multiple times on a single script, so the benefit for preparing goes wayyyyy down. If you really need a complex query prepared, turn it into a procedural function in your database. This pushes the expensive query-parsing to the first function call for PL/PGSQL (Postgres), and turns all of your SQL queries into stuff like "SELECT * FROM my_select_function(?, ?, ?, ?)".

Re:Why is this needed at all? (1)

jZnat (793348) | more than 7 years ago | (#19196967)

PHP 5 does natively via PDO [php.net] , and PHP 4 (and 5) does via PEAR's MDB2 [php.net] (older version: DB [php.net] ). There is also ADOdb [sourceforge.net] which has a very similar API to Microsoft's ADO RDBMS API (acronym overload!).

The availability of robust packages like those still doesn't stop newbie (and veteran) PHP programmers alike from just using the raw MySQL API subset known as the mysql_* functions (which were deprecated in favour of the newer MySQLi [php.net] functions/objects that also support prepared statements) along with occasional use of addslashes().

Re:Why is this needed at all? (1)

smellotron (1039250) | more than 7 years ago | (#19204745)

The availability of robust packages like those still doesn't stop newbie (and veteran) PHP programmers alike from just using the raw MySQL API subset known as the mysql_* functions
I'm a veteran PHP programmer, and I've worked in a dedicated Postgres environment (we were more likely to switch our scripting language from PHP to Python than our database from Postgres to anything). We used PEAR::DB, and frankly, I think it sucked. It didn't support modern Postgres features at all (including using addslashes instead of pg_escape, which itself was discovered as a security flaw for some non-ASCII databases). It was slow and bulky, to the point of being the #1 source of CPU time being used according to Xdebug and KCacheGrind.

I enjoy PDO (with a few additions that I can manage with subclassing), and it is efficient. Using PEAR::DB made me want to claw my eyeballs out, and IMHO the Postgres environment I mentioned earlier should have been using the pgsql_* functions.

Re:Why is this needed at all? (3, Interesting)

vr (9777) | more than 7 years ago | (#19197087)

If you just make sure you always use prepared SQL statements with positional arguments, you will never have any problems with SQL injection.

Actually, that is not true, as it ignores one problem: bugs in the database drivers. Seriously, there have been bugs in database drivers that have enabled SQL injection... I specifically remember a bug in the PostgreSQL JDBC driver [postgresql.org] a while back.

I also remember seeing a JDBC driver that simply inserted arguments into the string containing the SQL statement, although I fail to remember exactly which driver that was. This was a while back, mind you, so hopefully errors like that have been fixed. :)

Until I encountered these things, I believed that positional arguments was the silver bullet. The point here is that positional arguements in itself is no guarantee, it is only a part of an API. At some point you have to trust the developers of the database driver and the database itself, of course...

Re:Why is this needed at all? (1)

nurb432 (527695) | more than 7 years ago | (#19197525)

Because people sometimes goof, and its always good to test test test test.

Re:Why is this needed at all? (1)

xwipeoutx (964832) | more than 7 years ago | (#19197595)

I use prepared statements most of the time... however it's a pain in the butt when using the IN clause - there's no real way to do that, and I end up just concatenating SQL for those anyway

Re:Why is this needed at all? (1)

Shados (741919) | more than 7 years ago | (#19200199)

Thats still fine with IN Statements: you concatenate strings, yes, but from a trusted source (your own!) to add the parameter placeholders, and then loop to add the parameters to the collections. So its completly safe, and still ends up as a prepared statement.

Another way that I like, is (for DBMS that supports it) pass as a parameter an XML document with (if i'm paranoid) a schema, then pivot it as a table, and use the IN on that. Works pretty good.

Re:Why is this needed at all? (2, Interesting)

AnObfuscator (812343) | more than 7 years ago | (#19197623)

If you just make sure you always use prepared SQL statements with positional arguments, you will never have any problems with SQL injection.


Well, prepared statements have their own shortcomings -- they're not the magic bullet to solve all our DB issues. Some would have you believe they are, but don't be fooled.

I suppose the over-use of PHP (which for a long time didn't even support prepared statements (does it even do it today?)) combined with stupid users that created the current situation.

IIRC, when PHP 4's mysql drivers were written, MySQL did not support prepared statements. However, PHP 5's mysqli driver does support MySQL prepared statements. Also, PHP 5's PDO system offers a unified DB API with prepared statements.

Re:Why is this needed at all? (1)

1110110001 (569602) | more than 7 years ago | (#19216701)

which for a long time didn't even support prepared statements

Let's take an example: http://viewcvs.php.net/viewvc.cgi/php-src/ext/oci8 /oci8.c?revision=1.1&view=markup [php.net] - added 8 years ago. Prepare? Yes. Bind? Yes. For 8 years. Now that's what I call supported for a long time.

The problem is more with this database named after a child, which didn't support any of the advanced features for years.

Go on (0, Redundant)

Alterion (925335) | more than 7 years ago | (#19196509)

go on just say an aide for 1337 HAXOR's - you know you want to

Alternatives (2, Interesting)

stonecypher (118140) | more than 7 years ago | (#19196569)

Of course, security through obscurity is badbear.

That said, there are times - and this is one of them - that I'm glad my recently most common database isn't fundamentally SQL, or anything well-recognized. It also helps that (I believe) mnesia is immune to injection [erlang.org] , given that its queries are never textual, but rather always functional, and given that data are always presented as arguments. Every route to injection I'm aware of just doesn't make sense in context (though if someone knows a way attack Mnesia, I'd love to hear about it.)

Sure, there are times at which SQL is a major win over mnemosyne, but they're not common. Sure, it's nice to have a database be ready for you at any host, instead of having to take the time to find a good host who lets you run stuff. But when it comes down to it, the atypical performance characteristics of Erlang (especially since I write multiplayer games, for which massive concurrency is win) and the ridiculous speed of Mnesia make me miss SQL less every day.

'Course, client stuff still needs to work on MySQL. :(

Re:Alternatives (0)

Anonymous Coward | more than 7 years ago | (#19196831)

yeah, because processing input into SQL statements is such a new thing. Who the hell would have ever thought of something along the lines of stmt.setString(1,"%crap!%");.... (assuming stmt is already a prepared statement)

Detecting SQL Injection is hard ... (4, Insightful)

Gopal.V (532678) | more than 7 years ago | (#19196595)

The feedback factor for SQL Injection is very low. It is very hard to generically detect the after-effects of a successful sql-injection attack.

In comparison, something like XSS is easy because if you inject a string, the string re-appears in the HTML returned (HTML injection). The XSRF and XSS attacks dominate the internet attacks because they are really easy to scan for - though technically that should be an excellent reason they shouldn't exist :)

Rasmus Lerdorf has this awesome test-tool for XSS he keeps demo'ing (thankfully not released). You can see the tool in action [flickr.com] in the background. But there's still no real easy way to reliably scan for Sql injection.

Re:Detecting SQL Injection is hard ... (0)

Anonymous Coward | more than 7 years ago | (#19196715)

True, but a XSS attack is only going to hit individual users (usually ones stupid enough to click where baited) - a successful, or even accidental SQL injection can leave an application at the point where the only real option is to restore from backup (sure hope there wasn't any money being exchanged). Of course the best option is to avoid the situation via not php (or if you insist adodb or some other library that does honor prepared statement like functions - I'm sure some php functions do, but the problem being they are 100% incompatible with any other db functions, never mind dialect differences... {hibernate rocks, /me stops bitching about php}).



As mentioned, SQL injection is hard to find, but as with anything if you can automate any portion do so now.

Re:Detecting SQL Injection is hard ... (0)

Anonymous Coward | more than 7 years ago | (#19196753)

Have to reply to my own AC comment - did forget to mention that regardless of whatever language you use if you do something along the lines of "SELECT crap FROM toilet WHERE id={$_GET[something],(HttpRequest)request.getParam eter('something')}" your screwed regardless, a programming language cant fix programmer error/noobness etc.

Re:Detecting SQL Injection is hard ... (1)

gratemyl (1074573) | more than 7 years ago | (#19197051)

True, but a XSS attack is only going to hit individual users (usually ones stupid enough to click where baited)

No need to click - it is easy to steal cookies and other information by injecting an img tag with onload=...

Re:Detecting SQL Injection is hard ... (2, Insightful)

Plutonite (999141) | more than 7 years ago | (#19198241)

Rasmus Lerdorf has this awesome test-tool for XSS he keeps demo'ing (thankfully not released).
Why thankfully? I've left this stuff a long time ago, but nothing has changed about security and obscurity. You cannot win this way, you only prolong a possibly undetected failure.

Re:Detecting SQL Injection is hard ... (1)

larry bagina (561269) | more than 7 years ago | (#19198831)

Rasmus Lerdorf has this awesome test-tool for XSS he keeps demo'ing (thankfully not released).

Actually, it [php.net] 's been released for a while now.

Re:Detecting SQL Injection is hard ... (1)

Aeiri (713218) | more than 7 years ago | (#19214739)

I'm the developer of SQLIer (the first tool listed on the site), and I've also developed a (VERY PRE ALPHA STAGE) tool that scans for SQL Injection and XSS.

http://bcable.net/project.php?vulndetector [bcable.net]

I use two methods, one which is an integer field scan and another which is a string scan.

The integer scan works like so. Four pages are requested from the server:

Page 1: http://www.example.com/asd.php?id=1 [example.com]
Page 2: http://www.example.com/asd.php?id=2 [example.com]
Page 3: http://www.example.com/asd.php?id=1%2B1 [example.com]
Page 4: http://www.example.com/asd.php?id=1 [example.com] '

Page 3's variable of course decoding to "1+1". If page 3 is equal to page 2, and not equal to page 1 or 4, then it's vulnerable. The idea there is that the extra crap "+1" hasn't been stripped off returning the same as Page 1, and it's not causing a MySQL error like Page 4 does.

SQLIer also has a modified form of that integer scan to ensure a real SQL Injection vulnerable site has been entered in by the user. Since there are pages that when requested display different things each time (like if it has a time on the page or has a new forum post on a side menu), instead of comparing if two pages are equal, two pages are diff'd, then a percentage of how much of the pages are the same are calculated. So if 98% (I think, I can't remember what I have this set at) of the page is the same, it's considered "equal".

The string scan works as follows. (this function is done for both ' and ", in the example I'm using ')

Page 1: http://www.example.com/asd.php?id=qwe [example.com]
Page 2: http://www.example.com/asd.php?id=qwe [example.com] ' /*
Page 3: http://www.example.com/asd.php?id=qwe [example.com] ' /*{randstring}

If Page 2 and 3 are different, then {randstring} is not needed since it's clear that an error (and/or URL) is being output to the screen. {randstring} is set to null if that is the case.

Then, Page 1 and 3 are compared, if they are different, then obviously an error is being thrown for the quote.

Page 3: http://www.example.com/asd.php?id=qwe [example.com] ' and 1=1 /*
Page 4: http://www.example.com/asd.php?id=qwe [example.com] ' order by 1 /*
Page 5: http://www.example.com/asd.php?id=qwe [example.com] ' and '1'='1

Page 5 is not requested if the quote does not throw an error. This is because the quote is obviously not causing a problem, and can't be closed.

Page 1 is compared against Pages 3 & 4. If Page 1 & 3 and Page 1 & 4 are different, then it continues to Page 5 if necessary. If Page 5 is different than Page 1, then it fails (they should be the same). This step is skipped if Page 5 isn't checked due to quotes not causing an error immediately.

Page 6: http://www.example.com/asd.php?id=qwe [example.com] '"
Page 7: http://www.example.com/asd.php?id=qwe [example.com] ' order by 999 /*

If both Page 6 & 7 are both the same, then finally it's deemed an SQL Injection hole.

Granted, the string check is incredibly complex and also potentially destructive, which is why it's disabled by default. The integer scanner is very quick and gets most vulnerabilities, and is incredibly accurate as well.

As for XSS, that is incredibly easy. It just throws random strings into the query variables and sees if the resulting page contains that string.

Hope this helps some people when trying to automate detection. Seems to work pretty well for me. Anyone have any better ideas for string detection?

what exactly is an sql injection? (2, Interesting)

siddesu (698447) | more than 7 years ago | (#19196717)

i hear people talking about them from time to time, but i still can't figure out how they appear.
ain't there query parameters in practically all database access APIs?

Re:what exactly is an sql injection? (3, Informative)

MickDownUnder (627418) | more than 7 years ago | (#19196761)

SQL injection attacks target code in which sql statements are dynamically created.

e.g.

'select * from employees where fullName like ' + mySQLInjectedInputFromUser

where mySQLInjectedInputFromUser has been asssigned a value entered by the user:-

Fred Flinstone; GO; delete employees; GO

Re:what exactly is an sql injection? (1)

weicco (645927) | more than 7 years ago | (#19198297)

Yep. And that's why you should use parameters instead of dynamically creating SQL commands as string. Not like this (C# .NET):

SqlCommand cmd = new SqlCommand(); cmd.CommandText = "SELECT * FROM t_Table WHERE Something LIKE '" + InputString + "'";

But like this (C# .NET):

SqlCommand cmd = new SqlCommand(); cmd.CommandText = "SELECT * FROM t_Table WHERE Something LIKE @param1"; cmd.Parameters.Add("param1", DbType.String).Value = InputString;

Lousy example, I know. A lot of languages and/or frameworks supports this kind of structure (in Perl I think paremeters are marked with '?' don't know about other languages) but unfortunately it is not used often enough. PHP has also all the fancy real_escape_string functions and such.

Re:what exactly is an sql injection? (1)

Shados (741919) | more than 7 years ago | (#19200135)

Its not the language that makes it so you use ? or @name for the parameters, but the access layer and/Or the DBMS itself. For example, using ODBC or OLEDB, even if you connect to SQL Server with C#, you'll end up using the ? way of doing things. Just a side note :)

Re:what exactly is an sql injection? (1)

Tablizer (95088) | more than 7 years ago | (#19199409)

Is there a way to turn off the execution of multiple statements per query? Why the API's allow this, I don't know.

Re:what exactly is an sql injection? (1)

Sancho (17056) | more than 7 years ago | (#19204443)

I don't know if you can turn it off--it's probably a per-database or -interface issue, however why they allow it is simple: complex queries and operations can require it.

Re:what exactly is an sql injection? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19196785)

I'll bite - PHP, the ultimate language crushes every other language by making it so easy for the database developers to provide an interface to their db in php. Of course, they do this by not establishing a common interface like the other, inferior, methods of connecting like JDBC & ODBC (#ifdef is a -GOOD- thing, everyone knows that standards, especially posix sucks).

Of course, developers also get lazy, sometimes really lazy - sometimes they also get pushed to a deadline and that whole 50 seconds to do it the right way just isnt acceptable as far as management is concerned.

Re:what exactly is an sql injection? (1)

cheater512 (783349) | more than 7 years ago | (#19196807)

Oh the common interface is there. Its just that people (like you) dont know about it.

www.php.net/pdo

Re:what exactly is an sql injection? (1)

siddesu (698447) | more than 7 years ago | (#19196811)

pray tell, how does (using the example above, and an imaginary access api)

this:
st = api.createStatement('select * from employees where fullName like ' + mySQLInjectedInputFromUser);
st.execute

take more time to write than this:
st = api.createStatement('select * from employees where fullName like ?' )
st.execute(mySQLInjectedInputFromUser);

Re:what exactly is an sql injection? (2, Insightful)

FooBarWidget (556006) | more than 7 years ago | (#19196879)

What do you mean, "I'll bite"? What makes you think it's a troll? Can't people have a legit question these days without being seen as flamers and trolls?

Re:what exactly is an sql injection? (0)

Anonymous Coward | more than 7 years ago | (#19197775)

Ah you must be on the PHP core developer team!

Properly written software... (1)

MickDownUnder (627418) | more than 7 years ago | (#19196755)

In well written software SQL injection attacks shouldn't be possible. Don't use dynamic SQL, use stored procs. If you think you have to use dynamic sql, then create the sql statement within a stored proc (not code) then access that stored proc using authentication details that permit only read only access. I've never seen a situation in which dynamic SQL was required for updating or inserting data, generally it only gets used when performing complicated searching and even then it's not the only option....

http://www.sommarskog.se/dyn-search.html [sommarskog.se]

Re:Properly written software... (1)

growse (928427) | more than 7 years ago | (#19196797)

Why go through the faff of stored procedures whn you can just use parameterized queries? As far as I know, you need to have access to the db server to create/edit stored procs, and also, afaik, there's no way to use a source code control system on them.

Because a parameterized query sits in the code, you don't have to touch the db server if you want to do a code update.

Re:Properly written software... (1)

MickDownUnder (627418) | more than 7 years ago | (#19196819)

It is common practice with database development tools to update stored procs from sql scripts which are checked into source control systems. Microsoft has a whole verion of Visual Studio [microsoft.com] for this purpose.

Not using stored procs at all in your application is typically done by novice developers, it is not how an experienced professional works with a database.

Re:Properly written software... (0)

Anonymous Coward | more than 7 years ago | (#19197029)

Experienced, out-of-date professionals use stored procs. Stored procs are a maintenance and testing nightmare. Every system I've worked on in the last five years has used an ORM tool that generated prepared statements.

Re:Properly written software... (2, Insightful)

growse (928427) | more than 7 years ago | (#19197115)

Which I'm sure is fabulous if you're using .NET and MSSQL. However, I imagine that particular combination doesn't make up a very large percentage of all the database applications out there.

Don't get me wrong, stored procs are a useful tool which are the correct answer to some types of problem. But completely overkill if you just need simple or even slightly complicated CRUD operations. Using stored procs when they're not really necessary is the mark of a developer who doesn't know how to use every tool in his toolbox properly.

Re:Properly written software... (1)

MickDownUnder (627418) | more than 7 years ago | (#19197193)

Most database engines takes advantage of store procedures to create a pre-prepared execution plan which is used to optimise and speed execution time. Visual Studio will work with any database with an ODBC connection. All Visual Studio gives you is a nice environment in which to extract sql scripts and check them into source control, you don't actually need Visual Studio, you can just use notepad and edit sql scripts and check them in and out of source control manually.

*sigh* I don't know what I was thinking to engage in any sort of serious technical discussion on slashdot.

Anyhow run off and write your apps without stored procs the "SQL Injection Scanner" market needs you and your dodgy code.

Re:Properly written software... (1)

Jaime2 (824950) | more than 7 years ago | (#19198495)

Most database engines takes advantage of store procedures to create a pre-prepared execution plan which is used to optimise and speed execution time.

Most database engines also apply the exact same techniques to plain text queries. If the plain text queries are parameterized, then it works even better.

All Visual Studio gives you is a nice environment in which to extract sql scripts and check them into source control

Visual Studio also give you powerful tools to build parameterized queries and wraps them in class modules. It gives you the same tools for calling stored procedures. At the end of the day, what really matters is that you use some type of data access abstraction. Which type you use is a matter of personal preference and which technology is best for which situation. Microsoft's Transact-SQL is an absolutely horrible language that is very difficult to debug and had very poor error handling. Making a concious descision to implement complex code in that environment shows a serious lack of awareness of the costs incurred by your decisions. On the other hand, Oracle's PL/SQL is an OK language having better error handling and more useful constructs. However, PL/SQL still isn't as good as 90% of the languages that are common today. It is also fairly difficult to pass complex parameters into or out of stored procedures in any language.

Re:Properly written software... (1)

MickDownUnder (627418) | more than 7 years ago | (#19199185)

The whole parameterized query thing vs stored procs argument has been argued from the day the internet was born.
Here's the arguments I would make for stored procs.

Most database engines also apply the exact same techniques to plain text queries. If the plain text queries are parameterized, then it works even better

Database engines more often than not will generate a whole new execution plan for plain text queries, it can also cause the execution plan cache to fill up more quickly, plus it opens you up to sql injection. Using plain text dynamic sql is just plain unforgiveable, if you really want to write your sql in your source code then you should use parametertized queries.

Microsoft's Transact-SQL is an absolutely horrible language that is very difficult to debug and had very poor error handling.

Debugging stored procs in Visual Studio [microsoft.com] is easy. This of course is impossible to do with dynamic sql.

Re:Properly written software... (1)

Jaime2 (824950) | more than 7 years ago | (#19199891)

plus it opens you up to sql injection

No, it doesn't. That's the false dichotomy that sp supporters like to espouse. A poorly called sp is vulnerable to SQL injection, while a well written, properly called ad-hoc query is not vulnerable. Just using a stored procedure does not protect you from SQL injection and just avoiding them does not make you vulnerable to it. I just worked up a real quick ad-hoc paraeterized SQLCommand in Visual Studio and here is what SQL Profiler shows me is really executing;

exec sp_executesql N'SELECT * FROM Employees WHERE EmployeeID=@EmployeeID', N'@EmployeeID int', @EmployeeID = 3

This is 100% SQL injection proof and is very likely to be cached and reused regardless of the value used for the parameter on the next call.

Debugging stored procs in Visual Studio is easy. This of course is impossible to do with dynamic sql.

That proves debugging is possible, not that it works well. Where are the conditional breakpoints? How do you attach to an already executing stored procedure? How do you inspect the contents of a local table variable in the midst of a procedure call? The MS Procedure debugger has all the features of a ten year old product that has not been enhanced. If I write my logic in C#, I get a far better debugger.
As for the claim that it is impossible to debug with dynamic SQL... sure. But, most of the time I don't put non-trivial logic into SQL at all. The lack of debugging isn't a problem because there is no logic to debug. If a particular situation requires me to run complex logic on the database server, then I do use stored procedures. However, that is only about 5% of the time.

I have embarked on a campaign at work to rewrite a bunch of 2000 line SPs as .Net code and the result is far more maintainable and debuggable code that gives us better error messages, better logging, and better performance. I'm not saying this will always be the case, but the people who first wrote this code blindly implemented it as stored procedures. This code is a bunch of complex data transformations that simply are easier to implement in a real language. Also, there are many processing exception that can arise and tracking those exceptions and alerting the correct people is far easier outside of the SQL server.
What about my argument that T-SQL is a horrible language? You have one looping construct and one statement level conditional construct. Cursor loops require you to write the FETCH both before the loop and at the end of the loop making maintenance that much more tedious. Compile errors can be tough to track down as the messages are often vague. Hidden gotchas like compiling a procedure with QUOTED_IDENTIFIERS on and modifying it with them off are always fun. No select construct (as in a traditional programming language, not record selection). Until the latest version, no exception handling. Things like allowing run-time selection of record ordering have to be implemented with EXEC(), which actually opens you up to SQL injection vulnerabilities. Also, common constructs like this...

SELECT X, Y, Z FROM MyTable WHERE (X = @X OR @X IS NULL) AND (Y = @Y OR @Y IS NULL) AND (Z = @Z OR @Z IS NULL)
... actually make reuse of execution plans undesireable. These techniques are often necessary to avoid having to create 18 million SPs each with slightly different criteria, but in doing so, you shoot your primary argument for using SPs in the first place in the foot. If you decide not to implement these types of solutions, then you have a maintenance nightmare for application that allow highly customizable searching. An EXEC() based alternative opens you up to SQL injection and also ruins the ability to grant execute permission to the SPs while denying access to the tables.

This is just a handful of specific examples of the inferiority of T-SQL as a language for complex logic. There are many more as T-SQL hasn't really been enhanced in 15 years.

Re:Properly written software... (1)

Doctor Faustus (127273) | more than 7 years ago | (#19200111)

What about my argument that T-SQL is a horrible language? You have one looping construct and one statement level conditional construct. Cursor loops require you to write the FETCH both before the loop and at the end of the loop making maintenance that much more tedious. Compile errors can be tough to track down as the messages are often vague. Hidden gotchas like compiling a procedure with QUOTED_IDENTIFIERS on and modifying it with them off are always fun. No select construct (as in a traditional programming language, not record selection). Until the latest version, no exception handling.

Yes, T-SQL is pretty weak if you look at it simply in terms of a procedural language. The context of execution is right there with the tables, though, and it's just one language, which is pretty nice compared to an application language where you have to connect to the database and pull stuff over, or PL/SQL where you have to keep track of what's SQL and what's PL/SQL, and do inane things like "Select SqlFunction Into Variable From Dual;". Table variables are a glorious thing, too.

And I spent two years or so doing most of my work in T-SQL before we started moving towards a Java web services architecture (we didn't know where we were going, but we knew we wanted to avoid writing more VB6), and in that time or the year or two before it, I never wrote a cursor loop (I used this technique. [sql-server...rmance.com] ). I also never wanted run-time ordering of records, but that's because I'm more of a back-end guy. If there was a screen where the user could select the ordering, my instinct would be to do that in the recordset.

Yes, T-SQL has plenty of weaknesses, but don't pretend the alternatives don't. It can be more frustrating, because T-SQL's weaknesses seem like they'd be easier to fix than those of the alternatives. User-defined functions in SQL Server 2000 and error handling in 2005 were good steps, though.

Re:Properly written software... (1)

growse (928427) | more than 7 years ago | (#19198911)

I'm sorry, but if you think that stored procedures are the be-all and end-all to db query security, then it would appear that you don't have a clue.

It is perfectly possible to write secure code without using stored procedures. It might be more difficult, in some cases, but not impossible.

Re:Properly written software... (1)

MickDownUnder (627418) | more than 7 years ago | (#19204561)

No clue?

Riiight...

Well the biggest clue I have about security is that you build it into every tier of your architecture. Sticking security in one place is not a security architecture, well OK it might be, but as far as security architecture goes it sux.

Re:Properly written software... (1)

growse (928427) | more than 7 years ago | (#19206501)

Correct. And randomly throwing stored procs into your database when you don't need them doesn't make your database secure.

Re:Properly written software... (1)

Shados (741919) | more than 7 years ago | (#19199071)

Btw, what cracks me up is, bringing Visual Studio to the table, then talking about most database engines taking advantage of SPs for query plans...then forgetting...

One of the database engine thats the most used in tandem with Visual Studio, does NOT. In SQL Server, the execution plan is not pre-prepared. Its made at runtime, and cached. What does that mean? That dynamic sql (using prepared statements ONLY!), and stored procedures, have the same performance advantage, so that argument falls flat. I know not ALL RDBMS are like that, and wouldn't be able to give you a list, but at the very least for a large portion of Visual Studio users, that argument is a poor one.

Added to that, that the "SPs forever!" thing is a mostly Microsoft-world way of designing applications (keep in mind that I'm a .NET developer, and I love it, so I'm certainly not biaised AGAINST microsoft when saying that). In the rest of the world, SPs are part of the architecture and design decisions, like everything else, and that very, very often, they are not the right choice. An enterprise level application without any is probably designed wrong, I'll agree, but a lot of enterprise class java/unix/whatever apps use ORMs like hibernate or llblgen, and they are secure, scale perfectly fine, and perform quite well.

The SP-only thing comes from the VB6 world if anything.

Re:Properly written software... (1)

MickDownUnder (627418) | more than 7 years ago | (#19204643)

Basically I think it comes down to consistency. I don't like writting an application where one half of my T-SQL code is in the DB and the other half in my source code.

At the end of the day I find in just about every enterprise app there is at least one feature that requires a complex set of T-SQL instructions to be executed that have definite performance benefits when executed within a stored proc as opposed to parameterised queries executed from source code.

So for consistency and extensibility I always stick my T-SQL into the database, it also keeps the DB administrators happy.

Re:Properly written software... (1)

Shados (741919) | more than 7 years ago | (#19204909)

As long as you put the right info (like application name) in your connection string, your DBAs will stay happy, no worries.

And there is NOOOOOOOOTHING you can do in a SP that you can't do in a param query. Nothing. None. ZERO. The only performance benefit you'll get is the bandwidth (if you run a long query 1000000 times in a row, its a lot of data going).

The rest is a decent argument, but one that only holds water in simple applications. In complex enterprise apps, you have a billion datasources. Probably 5-6 different RDBMS, ETL data sources, EDI, Biztalk, flat files from legacy system, integration of all the junk MS Word document from before you got hired and started smacking people, CLR queries, etc etc... So in the end the handful of T-SQL that would actually be benefitial (for example, a write-only query that stores sensitive information on a table that NO ONE has read access to, because of laws and stuff) just end up being an integral part of your service layer, like everything else. If your stored procedures are treated specially enough that mixing them with other data access methods becomes inconsistant, your app is way, way too tightly coupled with the domain model, and thats a future maintenance nightmare.

If its a smaller application that won't have to do any integration, like most stand-alone apps, then it can make sense I suppose, depending on your architecture.

Re:Properly written software... (1)

MickDownUnder (627418) | more than 7 years ago | (#19205189)

Stored procedures can also improve performance. Many tasks are implemented as a series of SQL statements. Conditional logic applied to the results of the first SQL statements determines which subsequent SQL statements are executed. If these SQL statements and conditional logic are written into a stored procedure, they become part of a single execution plan on the server

http://msdn2.microsoft.com/en-us/library/aa174792( SQL.80).aspx [microsoft.com]

Re:Properly written software... (1)

Shados (741919) | more than 7 years ago | (#19208639)

Did you know that msdn has a lot of mistakes and errors, especially when it comes to SQL Server? Hell, I personally talked with some of its own engineers that had to be corrected by their superiors afte a discussion about its inner working. Thats not counting the insane amount of syntax error in their samples on SSIS, for example. :) That being said, that omits a simple detail: again, anything in a SP can be done in a dynamic sql statement.

That means conditionals, loops, temporary tables, transactions, you name it. It -all- can be done. Take -any- stored procedure you made, remove the SP declaration (that gets replaced by the parameter insertion), and you're good to go. The first time I had this argument, I goofed around and tried it with a 1.5k line SP. Works pretty good. And the query plan will be the exact same.

All these performance arguments come from 2 urban legends. #1: That there's something special about query plans in SQL Server when it comes to SPs. Thats wrong, you can dig in the documentation, or better yet, ask the SQL Server team directly: the code of the SP is literally stored as is, and when its invoked, its sent in the SAME pipe as dynamic queries get sent to, the query plan is created, the query is hashed and that hash is stored with the plan. If you send a dynamic sql, it goes through the same pipe, and the same process, in the same order. Hell, I think (but am not positive) that if you were to send a dynamic sql that matched the SP, you could reuse the SP's plan indirectly :)

But yes: you can make an impossibly large dynamic sql query with conditional logic, loops, you can even declare variables, yadah yadah. Only some things that are structure specific won't go, like return values (have to use output parameters instead) and such, and it all gets the exact same kind of execution plan, that gets reused the exact same way. Most people don't seem to realise that. Anything else is pure misinformation, that is quite common, even among Microsoft's own employes. Its funny really.

You'll still want to use some server side programming though. User defined functions are a blessing, even with param queries.

Re:Properly written software... (0)

Anonymous Coward | more than 7 years ago | (#19200553)

*sigh* I don't know what I was thinking to engage in any sort of serious technical discussion on slashdot.

Yes, better to stick with forums populated by the non-technical. It looks like you just got your ass handed to you by people who simply know more.

Re:Properly written software... (1)

heinousjay (683506) | more than 7 years ago | (#19196799)

In theory, that works, but there needs to be a very clearly defined separation regarding what ends up in the stored procedures. I'm a little gunshy about using this technique because I've seen it grow into an unmaintainable monster. Without a clear line between the DB interaction logic and the app logic things tend to settle all over the place. Granted, this isn't specifically a stored procedure problem, more a dev lead/team experience one, but it's still something that needs to be watched carefully lest things get out of control.

Re:Properly written software... (2, Insightful)

Ash Vince (602485) | more than 7 years ago | (#19198263)

What alovely idea, but here in the real world we have things called design constraints. Like maybe you have a web application that has been doing its job for the previous 5 or 6 years but is also constantly evolving. You have a lot of legacy code that was written to run against a mysql database from 5 years ago. That puts you on MySQL 4.0 with no stored procedures.

Now I am not saying this doesnt need an upgrade (currently in the works), but when you are talking about a mission critical app that is already making money you have to be very careful about breaking anything, you cant just throw a new version of mysql on your master database server and pray to the gods of IT. You have to be 100% sure everything will work before you move to a new version of anything, otherwise you irrepairably damage the image of your business.

Even when you are sure that it will work you have to perform the switch outside of core hours and warn customers of the potential for downtime. Things do not always go 100% according to plan and the most minor error can have serious consequences. Especially when in order to do something outside working hours you are doing this at 4am. It takes several days to switch your sleep patterns over to nighttime working but quite often in the run up to the overnighter you are too busy to sleep all day.

Out here in the real world we have to deal with suboptimal platforms as the decision to go with a particular DB server might have been taken years before you started working for the company. You can not just go in and insist everything is changed to what you would prefer (even if it is a better platform).

Re:Properly written software... (1)

MickDownUnder (627418) | more than 7 years ago | (#19202929)

In my real world I don't come across many legacy apps that don't leverage stored procs. Stored procs for way longer than 5 or 6 years. They were officially made part of the SQL language in 1999 and they were unofficially around many many years before that.

I don't go round re-writting everything just for the sake of making it mine. In the real world you evaluate every application on a case by case basis. In the real world it is very often the case that the time required to add new features or fix existing features on badly written legacy app is less than the time required to re-write it with modern programming tools.

I also don't come across many jobs dealing with legacy apps, and the ones I do I tend to steer clear of. I prefer creating my own crap than dealing with somebody elses.

Re:Properly written software... (1)

Ash Vince (602485) | more than 7 years ago | (#19207741)

I also don't come across many jobs dealing with legacy apps, and the ones I do I tend to steer clear of. I prefer creating my own crap than dealing with somebody elses.

Good for you, I used to do nothing but create new code in my last job.

Nowadays I work in collaberation with serveral other developers and we all maintain each others code. Since I started I have learnt far more than I ever did when I only worked on designing my own projects from scratch. I also find it far more challenging and hence more rewarding too.

I recommend you try it at some point if you want to grow as a developer.

Re:Properly written software... (1)

MickDownUnder (627418) | more than 7 years ago | (#19230995)

Yes one day I could be as good a developer as you... dare to dream.

My comment was obviously meant with humour. I collaborate with other developers all the time. I even go to user group meetings to get exposure to as many alternate views on development as possible.

And like most developers I prefer to work with new or next generation technology rather than working within the confines of some sort of time bubble from 10 years back due to the restrictions of some legacy system's architecture.

Re:Properly written software... (1)

Shados (741919) | more than 7 years ago | (#19199029)

While stored procedures are good, using dynamic sql inside the stored proc is (almost) as vulnerable as using normal dynamic sql.

The truly secure methods are:

1) Use stored procedure, with no dynamic sql whatsoever.
2) Use prepared statements: this make dynamic sql just as secure as stored procedure, and in the more advanced RDBMS, allows query plan to be cached (aka: it is virtually exactly as fast as stored procedures. SPs being used for performance reasons is a myth folks, at least with the better RDBMSs)
3) Use dynamic sql inside stored procedures, using prepared statements (I know at least T-SQL and PL/SQL let you do that, don't know about the others, never had to use it)

Basically, it comes down to: use a method that allows the RDBMS to cache the query plan, and just think of it as being for performance reasons. The security will come on its own, that way you won't have to think about it. If the RDBMS can't cache the plan, there's chances of potential holes.

Re:Properly written software... (1)

MickDownUnder (627418) | more than 7 years ago | (#19204571)

and... If your db is MS SQL Server use sp_executesql not EXEC

Re:Properly written software... (1)

Gotebe (887221) | more than 7 years ago | (#19205859)

Don't use dynamic SQL, use stored procs. Ah, you mean like this: EXEC MyProc "UserInputHere". Yeah, that helps, especially if UserInputHere == "Nevermind""; drop table X". Coming from MS background, I reckon? Dynamic SQL and stored procs are largely orthogonal (using one doesn't preclude using the other).

Testing slashdot (4, Funny)

mobby_6kl (668092) | more than 7 years ago | (#19196829)

blah'; UPDATE users SET uid = '1' WHERE uid = '668092';

Top 15 _______? (2, Insightful)

kjart (941720) | more than 7 years ago | (#19197183)

What is this, Digg?

Re:Top 15 _______? (1)

Jesus_666 (702802) | more than 7 years ago | (#19205431)

Hey, I'm not complaining; this makes my upcoming IT Security assignment much easier. Once again reading Slashot pays.

)t4co (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19197237)

collect any sp1lled

Validating Input (2, Informative)

mtjo (1080513) | more than 7 years ago | (#19198095)

Validating input prevents alot of problems. Prepared queries help but can still be exploited in poorly written statements. As in the classic SELECT query example, "where id=23 OR 1=1", using a datatype test as well as testing for null values for a $_GET or $_POST parameter before executing the query would throw back an error if expecting an unsigned integer.

One of the best SQL injection attacks I've seen... (4, Informative)

thewils (463314) | more than 7 years ago | (#19198159)

...was in conjunction with an error page which displayed the results of failed SQL.

I was able to change an innocuous 'select ... from catalog where section=1' into 'select ... from catalog where section=(select password from users where id=1)'.

This was nicely reported back to me as a SQL error stating that SQL was unable to convert "sdfsdfsdfsdf" into an integer, where "sdfsdfsdfsdf" was user id 1's password. I reported the problem to the site's owners, and it was still a month before they fixed it.

Moral of story - don't show the users any SQL errors, it gives them far too much information.

Re:One of the best SQL injection attacks I've seen (1)

mig21bp (925633) | more than 7 years ago | (#19209929)

don't show the users any SQL errors, it gives them far too much information

What do you mean by 'too much information'? Security through obscurity [wikipedia.org] ?

do they check cookies? (2, Insightful)

brunascle (994197) | more than 7 years ago | (#19198247)

it's not just URLs and post-back forms that can be vulnerable, cookies can be too. i didnt realize that until i found one on my own site. (it wasnt exploited, i found it on my own.)

Re:do they check cookies? (0)

Anonymous Coward | more than 7 years ago | (#19212719)

Darn slashdotters have to ruin all the fun! ;) I used to mess with cookies on a rather big site *cough* yahoo games *cough* and I would be "logged in" as some obscure names. Boy was it fun having 5-digit "ratings" on yahoo chess! I think they might have fixed it 5 years later, though.

It is due to exploits like this (and numerous others I'd find in my free time, like being logged in as others in certain e-mail accounts) that I would never use the Internet to do anything important involving money transfers. Let's just say the problems and exploits out there are bigger than most people realize.

Posting anonymously for obvious reasons.

intresting (1)

MadKad (1090963) | more than 7 years ago | (#19199725)

intresting read thank you and well put together

Bwah (1)

bytesex (112972) | more than 7 years ago | (#19205903)

I don't need SQL injection scanners. I use perl DBI and I always put arguments in as '?'.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>