- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Probably "Fix Query" or something like that.
Admin
"...told the vendor to fix the ‘blatant SQL-injection vulnerabilities’ that we discovered."
This just HAS to be an offshore vendor. Customer said to fix the blatant SQL-injection vulnerabilities, vendor fixed the blatant SQL-injection vulnerabilities.
If the customer wanted ALL the SQL-injection vulnerabilities fixed, he should have said so.
-Harrow.
Admin
Admin
It would have been cooler if they named it FuhQ().
Admin
OK, I can accept that there are some fine people out there who just don't know about SQL injection, even though it should be their job to get themselves educated before creating their crud.
What I find absolutely unconscionable is when someone is warned "you have an SQL injection security vulnerability in your code" and they don't bother to do a single google to find out what that means and how to correctly fix it. Typically, the vendor who dares to charge good money for their crud has been given valuable information, by their customer, for free, on how to dramatically improve their crud. Why we should give them this knowledge for free, I'm not sure, but instead of being grateful for this gift they expend all efforts to return to their state of ignorant bliss as quickly as possible.
Now it isn't a mistake any more. You've been warned, and you chose to ignore it. Now it is deliberate, premeditated, inexcusable stupidity.
I want to gather up all of those knuckleheads and ship them off to another planet. Or I'll go and they can stay here. I'm just sick and tired of sharing oxygen with them.
Admin
I actually did something like that. Was assigned to take a look at some 'minor security issues brought up by a pesky auditor'. Set up a 5 minute appointment with the big cheese (which too like... days to get). Asked him to pull up one of the offending web pages, then asked to use his keyboard for a second. "So, I type in ;select * from events where 1=1 -- and check it out" His eyes grew larger as the page that was supposed to display a single event scrolled off in to oblivion as it laboriously spit out every single event in the database.
I paused for a dramatic effect, allowing him to soak in the possibilities of what he had just seen.
"Now, watch what happens when I type in ; delete from customers where 1" "WHOA!! STOP RIGHT THERE!"
It was truly amazing to a dev order fly so quickly through the massive red tape at this place.
Admin
Admin
In standard SQL, '' is not a metacharacter. So if they are building a SQL statement with something like:
sql="select customer_id from customer where lastname='"+lastname+"';"
Then doubling any quotes means that the input string you give will result in the final SQL being
select customer_id from customer where lastname='''''; DROP TABLE users; --'
That is, it will look for customers named "''; DROP TABLE users; --". A strange last name, but no SQL injection.
Yes, some dialects of SQL treat a backslash as a meta character. For those, you should also double any backslashes or whatever you need to escape the escape.
If you want your code to work on multiple dialects of SQL, you should either have multiple escape functions, use prepared statements, or maybe just write a single escape function that works for all of them and too bad if someone wants to put back slashes in his text.
i.e. Paul is correct: Simply doubling quotes -- and handling other magic characters if your SQL dialect supports them -- is not only easier than searching for every possible dangerous SQL, but far more reliable.
I've never understood why people try to search for every possible dangerous SQL one could write, rather than just ensuring that everything entered is treated as text and not executable code so that you don't care what they enter.
Really now, surely even the most innocuous SQL could subvert an application. I don't need to drop a table to screw up an app. ANY query that is not the intended query would be dangerous. How about "update customer set credit_limit=1000000.00 where customer_id=..." or even "select name, address, city, state, zip from customer" might be interesting to a competitor.
This would be like having a security system where instead of only admitting employees and registered vistors to your top secret facility, you admitted anyone EXCEPT those found on the FBI's 10 Most Wanted List. Sure, that would keep out a few of the most obviously dangerous people, but is hardly adequate security.
Admin
Oho! Yet another example of SQL sanitization being woefully inefficient for anyone with a SQL grammar. Truly worth attention on the front page.
Seriously, when do you retire a class of WTFs and let a new class of failures take its place?
Admin
Amen! This is exactly what I was thinking!
On the original posting, maintaining this "Whack-a-Mole" code will be quite an ongioing cash cow for the vendor - especially as it screws up legitemate databeing entered by the users.
"I submitted a bug about the 'gumdrop columns' into the help system, and all it stored was 'gums?!'"
Admin
Admin
Why can I see this as the next support wtf showing up here?
Plaga: I got-a the plag-a!
Admin
Please don't do that. Then when you have to send a plain-text email or export a CSV or let the user-re-edit the content or any of a number of other things you' end up with, for instance, """ peppered all over your text.
Much better to escape the HTML after you retrieve it from the DB and before you output it to the page (although, granted, that means you have to trust your developers to do so.)
Admin
Can't we stop repeating these memes ad nauseum? It's getting so that... er... uh.... Oh what the heck!
I want to be embedded with the Irish Girl!
Admin
Admin
To everyone saying "MySQL!", this is from the postgresql manual:
"If the configuration parameter standard_conforming_strings is off, then PostgreSQL recognizes backslash escapes in both regular and escape string constants. This is for backward compatibility with the historical behavior, in which backslash escapes were always recognized. Although standard_conforming_strings currently defaults to off, the default will change to on in a future release for improved standards compliance."
You should always either use parameterised queries, or use the god damn escape function provided by the library!
Admin
Stored procedures without parameterized statements are still prone to SQL injection.
OMG, please don't store html in my db. Html is for the presentation layer. Nobody's last name is actually "Smith".
Admin
SqlStr = "select * from customer_order where order_id = " + inputFromAnEmbeddedLink
In this case a simple input of
OR 2>1
does not even need to break out of the quoted string. Parameterized queries are the only way to go...
Good error handling also helps... If you know you should receive exactly one row for a particular query, then RollBack if you don't get it.
In addition to having the customer sign an acknowledgement of the problem prior to installing the program, include language to hold vendors' feet to the fire in the contract.
Admin
The solution is to analyze what acceptable values you want to stuff into the database.
Admin
Admin
My current client where I work onsite is notorious for a) writing a stored procedure for every interraction with the database (supposedly for performance and security reasons), and b) doing nearly 100% SQL string concatenation in those stored procedures (almost completely negating the possibility of any performance or security improvements). They have to jump though all the same hoops as if the SQL were being built outside the database to prevent SQL injection attacks.
Admin
Why don't you all just use mysql_REAL_escape_string()? I mean... it is REALLY escaping the string for mysql, not just merely adding some slashes...
Admin
Well it would NOT have helped the political party in germany whose chatsite became a porn/SM-page: http://asset.soup.io/asset/0707/3492_3515_800.jpeg
Admin
Admin
Admin
What's your excuse?
Admin
Admin
asprintf (&SqlStr, "select * from customer_order where order_id = %u", atoi (inputFromAnEmbeddedLink));Admin
Just make sure order #0 doesn't exist.
Admin
Yetihehe said: Why don't you all just use mysql_REAL_escape_string()? I mean... it is REALLY escaping the string for mysql, not just merely adding some slashes...
Because we're not using PHP or MySQL, and the real solution is paramaterization.
If you think the real solution is anything else, you're wrong.
See how simple that is?
Admin
Thankfully, not altogether impossible. Simply post any code that you propose to use in the 'real world' on this site and the resident experts will gladly explain all the vulnerabilities.
As an added bonus, they will also collaborate together to ensure that you have adhered to the most stringent programming principles and assess your value as a developer (if not human being)....
Admin
There are far more sarcastic, trolliscious, and flat-out wrong answers here than any real solutions. But feel free to post any code at all--you will be mocked for your crappy code and/or your inability to see that is/is not bad.
Admin
Hows about making sure that certain punctuation characters aren't allowed in a name field. An Apostrophe or a hyphen are probably the only non-alphabetic characters required to display a name (and maybe numbers for King Henry 4 {although I suspect he would use IV}). For addresses things may be a little more complex, but we should still be able to limit the number of non-alphanumeric characters allowed. Getting rid of any entered semi-colon goes a long way (although doesn't stop the problem entirely, I don't think)...and reducing other punctuation {such as brackets} can help a lot too.
It may mean that people can only enter their names in English, but provided it's an English system that shouldn't be too much a problem
Admin
Indeed!!
I think perhaps you missed the point....
Admin
Okay, don't want to look the idiot, but why would we rollback on a select? Are we afraid (because we got an unexpected result) that they may also have sneaked a few other niceties in there?
Admin
You are obviously working with simplistic requirements. There are cases where parameterised queries/procedures work, and there are cases where they can't work. If that is the only tool in your box, then you will be stuck if you come across a scenario where they won't work.
At the moment I am working on something which requires an arbitrary query to be submitted in one form, and converted to another (in my case, an LDAP query converted to an SQL query). There is no way to do this using parameterisation AND take advantage of the DB's query optimiser. I could use parameterisation and do lots of queries and then do procedural unions/intersects, but that is really slow and complicated (I may as well use a flat file for data storage instead of a relational DB). Or, I can create an SQL query based on the LDAP query, and pass that to the DB to let it do its query optimisation magic, which ends up with the query being really quick.
For this, you HAVE to build a query on the fly, and you HAVE to quote the parameters. Quoting the parameters is not hard, as long as you know the DB's metacharacters. Once you do that, it is no less secure than using parameterised queries/procedures.
Admin
Best comment on this story
Admin
Admin
Better yet, don't allow manky data that it's difficult to handle into your database in the first place. Telephone field? Why not only accept numeric characters and dashes? Address field? Why do you need CRs, LFs, null bytes, and diamond brackets?
If you whitelist characters for given form fields, and encode whenever you handle data from untrusted source (this means user-supplied data, or any data which might be user-supplied, derived, or influenced, from external SOAP calls to database rows), chances are you'll make XSS very difficult.
And if you do encode, please, please take care of all the special-use characters in javascript and HTML. <>"' isn't good enough. See OWASP for more details.
Now, onto XSRF...
Admin
Unless you are sure it will always need to be html, or unhtml is a good enough solution. I agree with your point in general, but the right answer is always dependant on the situation.
Admin
Practising the Principle of Least Priviledge is always a good idea, but it doesn't prevent SQL Injection.
Secure information can be leaked in a read-only environment as well. Consider the addition of "union select user,password from users". Or "select employee,salary from bonuses".
Admin
SELECT x, y, z from a, b, c where p=? and q=? and r=? then go through & add all the parameters.
rather than
SELECT x, y, z from a, b, c where p='bob' and q='arthur' and r=27
You quite obviously have all the information you need so why not just do the right thing?
Admin
There are 2 grammatical errors at the end of your article "they told us were beeing too picky, and had us install the application anyway." First, you an extra 'e' in 'being'. Second, it should be 'we're' not 'were'
Admin
If you don't limit DB access via Stored Procedures and Prepared Statements then you deserve all the pain you will get (and it's just a matter of when).
Still, if you're a dumbass and persist in building your own queries, at least do something like this with your inputs...
internal static string FQ(string WhichField) { if (WhichField != null) { WhichField = Regex.Replace(WhichField, @"[^\sa-z0-9]", "", RegexOptions.IgnoreCase | RegexOptions.SingleLine); } return WhichField; }
Admin
update financialrecords set amountinallbankaccounts = 1000000000000000;
Admin
return Strings.Trim(Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(expression, "1=1", "", 1, -1, CompareMethod.Text), "1 =1", "", 1, -1, CompareMethod.Text), "1= 1", "", 1, -1, CompareMethod.Text), "1 = 1", "", 1, -1, CompareMethod.Text));
Admin
I reckon it should be "we were" not "we're" (ie "we were" rather than "we are" ("we were" might be shortened to "we're" somewhere in the world, but I've never seen it))
anywho, I think your beeing two picky
Admin
Admin
Might be nice to have but are certainly not required....(I know many people who have names with umlauts or other marks, who simply leave them off when creating forms). If required, you can always create an 'allowable character set' (which you can later extend if you need to because vast hordes of people want a certain character).
Either way, my reading is that the OP was saying you can filter punctuation and non-alphabetic letters. Language specific letters and accented letters would still be letters, I would think, so I'm not quite sure the point you're making?
Admin