Reply to: SQL Injection

Seen plenty of sql injection through SP's (i'm a pen tester and software security head btw), either the dev's build the SP call dynamically or in some cases, i've seen dynamic sql constructed within the SP!

Best approach is (as stated already) parameterised queries, and also _in all cases_ input should be validated against expected data type (at least) and usually one or more of length, format and range.

cheers

Until the next dev comes along and adds an insert...

Nope, there's no excuse whatsoever to not use parameterised queries at the very least.

well of course, a mad admin can bring down anything, in which case the most nicely-parameterised data access tier known to man won't be much use.

Not a good enough safeguard for any serious system. One dumb admin can bring it all tumbling down.

That's a bit extreme. You might be accessing the db using an account that's got
CREATE SESSION
SELECT ON NODDY_VIEW
and nothing more. That would be pretty injection-proof.

WHS and ideally stored procedures.

If you're not using parameterised queries to access the database, uninstall your development environment right now as you have no business writing code to connect to a database.

Don't talk to me about escaping input, I'll only laugh in your face, as will most pros.

For Oracle, I recommend visiting Pete Finnigan's site to get good info. on securing your DB and webby stuff. Which is what I will be doing, now that I come to think of it.

You've reminded me of my best cowboy fix ever. Not exactly SQL injection, but a similar principle.

Customer had a windows app connecting to Oracle. which they'd supposedly tested in advance of database/MDAC/OS upgrade.

Details get a little hazy in my memory, but there was one little function that they'd missed testing, which wouldn't work after the upgrade. I think it was relying on an Oracle ref cursor or something, which had stopped returning results for some obscure reason to do with the upgrade.

We got the fix ready, which just involved setting some explicit attributes in the code that was making the database calls. But we also noticed that it was logging in to the database just by asking for the user's name and password on its login screen, then tacking them onto a connection string.

So for the couple of weeks before the fix was released, the official workaround was this: instead of user Fred logging in as FRED, he had to log in as FRED;PLSQLRSet=1

I've seen several sites in the last couple of months being compromised by something very similar to what you've listed above. All it takes is one vulnerable script, and the entire contents of the database could be chewed up.

Anybody who's not familiar with the dangers of SQL injection in web apps would be well advised to read up at the earliest opportunity.