SlideShare a Scribd company logo

Sql Injection Myths and Fallacies

Karwin Software Solutions LLC
Karwin Software Solutions LLC

The most massive crime of identity theft in history was perpetrated in 2007 by exploiting an SQL Injection vulnerability. This issue is one of the most common and most serious threats to web application security. In this presentation, you'll see some common myths busted and you'll get a better understanding of defending against SQL injection.

Technology
1 of 77
Download to read offline
SQL INJECTION MYTHS AND FALLACIES Bill Karwin
ME • Software developer • C, Java, Perl, PHP, Ruby, SQL • Author of SQL Antipatterns: 
 Avoiding the Pitfalls of Database Programming
WHAT IS SQL INJECTION? http://example.com/show.php?bugid=1234 SELECT * FROM Bugs 
 WHERE bug_id = $_GET['bugid'] user input
WHAT IS SQL INJECTION? http://example.com/show.php?bugid=1234 ORTRUE SELECT * FROM Bugs 
 WHERE bug_id = 1234 ORTRUE unintended logic
WORSE SQL INJECTION http://example.com/changepass.php?acctid=1234
 &pass=xyzzy UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id
WORSE SQL INJECTION http://example.com/changepass.php?acctid=1234 ORTRUE
 &pass=xyzzy'), admin=('1 UPDATE Accounts 
 SET password = SHA2('xyzzy'), admin=('1')
 WHERE account_id = 1234 ORTRUE changes password for all accounts changes account to administrator
MYTHS AND FALLACIES Based on a grain of truth, 
 but derives a wrong conclusion Based on a false assumption, 
 but derives a logical conclusion MYTH FALLACY
MYTH “SQL Injection is an old problem―so I don’t have to worry about it.” MYTH
ARCHOS • Christmas 2014 • “French smartphone maker Archos was compromised by a SQL injection attack last Christmas, resulting in the leak of up to 100,000 customer details.” • http://www.scmagazineuk.com/up-to-100k-archos-customers-compromised-by-sql-injection-attack/article/395642/
WORDPRESS • February 2015 • “One Million WordPress WebsitesVulnerable to SQL Injection Attack” • http://www.tripwire.com/state-of-security/latest-security-news/one-million-wordpress-websites-vulnerable-to-sql-injection-attack/
DRUPAL • March 2015 • “Drupal SQL injection vulnerability attacks persist, despite patch release” • http://www.scmagazine.com/trustwave-details-drupal-sql-injection-attack/article/404719/
MYTH “Escaping input 
 prevents SQL injection.” MYTH
ESCAPING & FILTERING http://example.com/changepass.php?acctid=1234 ORTRUE
 &pass=xyzzy'), admin=('1 UPDATE Accounts 
 SET password = SHA2('xyzzy'), admin=('1')
 WHERE account_id = 1234 coerced to 
 integer backslash escapes special characters
ESCAPING & FILTERING FUNCTIONS <?php $password = $_POST["password"];
 $password_escaped = mysqli_real_escape_string($password); $id = (int) $_POST["account"]; $sql = "UPDATE Accounts
 SET password = SHA2(‘{$password_escaped}’)
 WHERE account_id = {$id}"; mysql_query($sql);
ESCAPING & FILTERING FUNCTIONS <?php $password = $_POST["password"];
 $password_quoted = $pdo->quote($password); $id = filter_input(INPUT_POST, "account", 
 FILTER_SANITIZE_NUMBER_INT); $sql = "UPDATE Accounts
 SET password = SHA2( {$password_quoted} )
 WHERE account_id = {$id}"; $pdo->query($sql);
IDENTIFIERS AND KEYWORDS <?php $column = $_GET["order"];
 $column_delimited = $pdo->FUNCTION?($column); $direction = $_GET["dir"]; $sql = "SELECT * FROM Bugs
 ORDER BY {$column_delimited} {$direction}"; $pdo->query($sql); no API to support delimited identifiers keywords get no quoting
MYTH “If some escaping is good, more must be better.” MYTH
OVERKILL? <?php function sanitize($string){     
   $string = strip_tags($string); 
   $string = htmlspecialchars($string);
   $string = trim(rtrim(ltrim($string))); 
   $string = mysql_real_escape_string($string);
   return $string;
 } $password = sanitize( $_POST["password"] ); real function from 
 a user’s project
“FIRE EVERYTHING!!”
JUSTTHE ONE WILL DO <?php $password = mysqli_real_escape_string( 
 $_POST["password"] ); mysqli_query("UPDATE Users 
 SET password = '$password' 
 WHERE user_id = $user_id");
MYTH “I can write my own 
 escaping function.” MYTH
PLEASE DON’T • http://example.org/login.php?account=%bf%27 OR 'x'='x • $account = addslashes($_REQUEST(“account”)); • addslashes() sees a single-quote (%27) and inserts backslash (%5c). Result:
 %bf%5c%27 OR 'x'='x valid multi-byte character in GBK: 縗 single-quote
GRANT ACCESSTO ANY ACCOUNT • Interpolating: SELECT * FROM Accounts 
 WHERE account = '{$account}' 
 AND password = '{$passwd}' • Results in: SELECT * FROM Accounts 
 WHERE account = '縗' OR 'x'= 'x' 
 AND password = 'xyzzy' • http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string • http://bugs.mysql.com/bug.php?id=8378
SOLUTIONS • Use driver-provided escaping functions: • mysqli::real_escape_string() • PDO::quote() • Use API functions to set the client character set: • mysqli::set_charset() • http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html • Use UTF-8 instead of GBK, SJIS, etc.
MYTH “Unsafe data comes from users―if it’s already in the database, then it’s safe.” MYTH
NOT NECESSARILY $sql = "SELECT product_name FROM Products";
 $prodname = $pdo->query($sql)->fetchColumn(); $sql = "SELECT * FROM Bugs 
 WHERE MATCH(summary, description) 
 AGAINST ('{$prodname}')"; not safe input
FALLACY “Using stored procedures prevents SQL Injection.” FALLACY
STATIC SQL IN PROCEDURES CREATE PROCEDURE FindBugById (IN bugid INT)
 BEGIN
 SELECT * FROM Bugs WHERE bug_id = bugid;
 END CALL FindByBugId(1234) filtering by data type is a good thing
DYNAMIC SQL IN PROCEDURES CREATE PROCEDURE BugsOrderBy
 (IN column_nameVARCHAR(100), 
 IN directionVARCHAR(4))
 BEGIN
 SET @query = CONCAT(
 'SELECT * FROM Bugs ORDER BY ', 
 column_name, ' ', direction);
 PREPARE stmt FROM @query;
 EXECUTE stmt;
 END CALL BugsOrderBy('date_reported', 'DESC') interpolating arbitrary strings = SQL injection
WORTHY OFTHEDAILYWTF CREATE PROCEDURE QueryAnyTable
 (IN table_nameVARCHAR(100))
 BEGIN
 SET @query = CONCAT(
 'SELECT * FROM ', table_name);
 PREPARE stmt FROM @query;
 EXECUTE stmt;
 END CALL QueryAnyTable( '(SELECT * FROM ...)' ) http://thedailywtf.com/Articles/For-the-Ease-of-Maintenance.aspx
MYTH “Conservative SQL privileges limit the damage.” MYTH
DENIAL OF SERVICE SELECT * FROM Bugs JOIN Bugs 
 JOIN Bugs JOIN Bugs JOIN Bugs 
 JOIN Bugs
 100 bugs = 1 trillion rows
DENIAL OF SERVICE SELECT * FROM Bugs JOIN Bugs 
 JOIN Bugs JOIN Bugs JOIN Bugs 
 JOIN Bugs 
 ORDER BY 1 still requires only SELECT privilege
JUST ASKING FOR IT http://www.example.com/show.php?
 query=SELECT%20*%20FROM%20Bugs
FALLACY “It’s just an intranet application―it doesn’t 
 need to be secure.” FALLACY
JUST ASKTHIS MANAGER
WHAT STAYS ONTHE INTRANET? • You could be told to give business partners access to an internal application UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id
WHAT STAYS ONTHE INTRANET? • Your casual code could be copied & pasted into external applications UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id
WHAT STAYS ONTHE INTRANET? • It’s hard to argue for a security review or rewrite for a “finished” application $$$ UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id ?
MYTH “My framework 
 prevents SQL Injection.” MYTH
ORMS ALLOW CUSTOM SQL • Dynamic SQL always risks SQL Injection, 
 for example Rails ActiveRecord: Bugs.all(
 :joins => "JOIN Accounts 
 ON reported_by = account_id",
 
 :order => "date_reported DESC"
 ) any custom SQL can carry SQL injection
WHOSE RESPONSIBILITY? • Security is the application developer’s job • No database, connector, or framework can prevent SQL injection all the time
FALLACY “Query parameters do quoting for you.” FALLACY
INTERPOLATING DYNAMIC VALUES • Query needs a dynamic value: SELECT * FROM Bugs 
 WHERE bug_id = $_GET['bugid'] user input
USING A PARAMETER • Query parameter takes the place of a dynamic value: SELECT * FROM Bugs 
 WHERE bug_id = ? parameter placeholder
HOWTHE DATABASE PARSES IT query SELECT FROM WHERE expr-list * simple- table expr bugs parameter
 placeholder ? bug_id =equality
HOWTHE DATABASE EXECUTES IT query SELECT FROM WHERE expr-list * simple- table expr bugs 1234 bug_id = parameter
 value equality
INTERPOLATION query SELECT FROM WHERE expr-list * simple- table expr 1234 bugs bug_id = TRUE OR SQL injection equality
PARAMETERIZATION query SELECT FROM WHERE expr-list * simple- table expr bugs 1234 OR TRUE bug_id = no parameter
 can change the tree equality
PREPARE & EXECUTE Client Server parse query send parameters send SQL optimize query execute query return results prepare query execute query repeat with 
 different 
 parameters bind parameters convert to machine- readable form
MYTH “Query parameters prevent SQL Injection.” MYTH
ONE PARAMETER = ONEVALUE SELECT * FROM Bugs 
 WHERE bug_id = ?
NOT A LIST OFVALUES SELECT * FROM Bugs 
 WHERE bug_id IN ( ? )
NOT ATABLE NAME SELECT * FROM ? 
 WHERE bug_id = 1234
NOT A COLUMN NAME SELECT * FROM Bugs 
 ORDER BY ?
NOT AN SQL KEYWORD SELECT * FROM Bugs 
 ORDER BY date_reported ?
INTERPOLATIONVS. PARAMETERS Scenario Example Value Interpolation Parameter single value ‘1234’ SELECT * FROM Bugs 
 WHERE bug_id = $id SELECT * FROM Bugs 
 WHERE bug_id = ? multiple values ‘1234, 3456, 5678’ SELECT * FROM Bugs 
 WHERE bug_id IN ($list) SELECT * FROM Bugs 
 WHERE bug_id IN ( ?, ?, ? ) table name ‘Bugs’ SELECT * FROM $table 
 WHERE bug_id = 1234 NO column name ‘date_reported’ SELECT * FROM Bugs 
 ORDER BY $column NO other syntax ‘DESC’ SELECT * FROM Bugs 
 ORDER BY date_reported $direction NO
SOLUTION Whitelist Maps SOLUTION
EXAMPLE SQL INJECTION http://www.example.com/?order=date_reported&dir=ASC <?php $sortorder = $_GET["order"];
 $direction = $_GET["dir"]; $sql = "SELECT * FROM Bugs 
 ORDER BY {$sortorder} {$direction}"; $stmt = $pdo->query($sql); unsafe inputs SQL Injection
FIX WITH A WHITELIST MAP <?php $sortorders = array( "DEFAULT" => "bug_id",
 "status" => "status",
 "date" => "date_reported" ); $directions = array( "DEFAULT" => "ASC",
 "up" => "ASC",
 "down" => "DESC" ); application request values SQL identifiers and keywords
MAP USER INPUTTO SAFE SQL <?php $direction = $directions[ $_GET["dir"] ] ?: $directions["DEFAULT"];
INTERPOLATE SAFE SQL http://www.example.com/?order=date&dir=up <?php $sql = "SELECT * FROM Bugs 
 ORDER BY {$sortorder} {$direction}"; $stmt = $pdo->query($sql); whitelisted values
BENEFITS OF WHITELIST MAPS •Protects against SQL injection in cases where escaping and parameterization doesn’t help. •Decouples web interface from database schema. •Uses simple, declarative technique. •Works independently of any framework.
FALLACY “Queries parameters 
 hurt SQL performance.” FALLACY
SIMPLE QUERY Profiled Elapsed
COMPLEX QUERY Profiled Elapsed
MYTH “A proxy/firewall solution 
 prevents SQL injection.” MYTH
ORACLE DATABASE FIREWALL • Reverse proxy between application and Oracle •Whitelist of known SQL queries •Learns legitimate queries from application traffic •Blocks unknown SQL queries •Also supports Microsoft SQL Server, IBM DB2, Sybase ASE, SQL Anywhere • http://www.oracle.com/technetwork/database/database-firewall/overview/index.html
GREENSQL • Reverse proxy for MySQL, PostgreSQL, Microsoft SQL Server • Detects / reports / blocks “suspicious” queries: •Access to sensitive tables •Comments inside SQL commands •An ‘or’ token inside a query •An SQL expression that always returns true • http://www.greensql.net/about
STILL NOT PERFECT • Vipin Samar, Oracle vice president of Database Security: • “Database Firewall is a good first layer of defense for databases but it won't protect you from everything,” 
 http://www.databasejournal.com/features/oracle/article.php/3924691/article.htm • GreenSQL Architecture • “GreenSQL can sometimes generate false positive and false negative errors.As a result, some legal queries may be blocked or the GreenSQL system may pass through an illegal query undetected.”
 http://www.greensql.net/about
LIMITATIONS OF PROXY SOLUTIONS •False sense of security; discourages code review •Gating factor for emergency code deployment •Constrains application from writing dynamic SQL •Doesn’t stop SQL injection in Stored Procedures
FALLACY “NoSQL databases are immune to SQL injection.” FALLACY
“NOSQL INJECTION” http://www.example.com?column=password <?php $map = new MongoCode("function() { 
 emit(this." . $_GET["column"] . ",1); 
 } "); $data = $db->command( array(
 "mapreduce" => "Users",
 "map" => $map
 ) ); any string-interpolation of untrusted content
 is Code Injection
NOSQL INJECTION INTHE WILD • Diaspora wrote MongoDB map/reduce functions dynamically from Ruby on Rails: • def self.search(query)
 Person.all('$where' => "function() { 
 return this.diaspora_handle.match(/^#{query}/i) ||
 this.profile.first_name.match(/^#{query}/i) ||
 this.profile.last_name.match(/^#{query}/i); }")
 end • http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/ did query come from a trusted source?
MYTHS AND FALLACIES • I don’t have to worry anymore • Escaping is the fix • More escaping is better • I can code an escaping function • Only user input is unsafe • Stored procs are the fix • SQL privileges are the fix • My app doesn’t need security • Frameworks are the fix • Parameters quote for you • Parameters are the fix • Parameters make queries slow • SQL proxies are the fix • NoSQL databases are the fix there is no single silver bullet—
 use all defenses when appropriate
SQL ANTIPATTERNS http://www.pragprog.com/titles/bksqla/
LICENSE AND COPYRIGHT Copyright 2010-2015 Bill Karwin www.slideshare.net/billkarwin Released under a Creative Commons 3.0 License: 
 http://creativecommons.org/licenses/by-nc-nd/3.0/ You are free to share - to copy, distribute and 
 transmit this work, under the following conditions: Attribution. 
 You must attribute this work to Bill Karwin. Noncommercial. 
 You may not use this work for commercial purposes. No Derivative Works. 
 You may not alter, transform, or build upon this work.

Recommended

Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Sqlmap
SqlmapSqlmap
SqlmapInstitute of Information Security (IIS)
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 

Recommended

Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Sqlmap
SqlmapSqlmap
SqlmapInstitute of Information Security (IIS)
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Sql Antipatterns Strike Back
Sql Antipatterns Strike BackSql Antipatterns Strike Back
Sql Antipatterns Strike BackKarwin Software Solutions LLC
 
Chapter 4 Structured Query Language
Chapter 4 Structured Query LanguageChapter 4 Structured Query Language
Chapter 4 Structured Query LanguageEddyzulham Mahluzydde
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Oracle sql high performance tuning
Oracle sql high performance tuningOracle sql high performance tuning
Oracle sql high performance tuningGuy Harrison
 
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander ZaitsevClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander ZaitsevAltinity Ltd
 
Client-side JavaScript
Client-side JavaScriptClient-side JavaScript
Client-side JavaScriptLilia Sfaxi
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
How to Use JSON in MySQL Wrong
How to Use JSON in MySQL WrongHow to Use JSON in MySQL Wrong
How to Use JSON in MySQL WrongKarwin Software Solutions LLC
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Sqlmap
SqlmapSqlmap
Sqlmapshamshad9
 
Oracle SQL Basics
Oracle SQL BasicsOracle SQL Basics
Oracle SQL BasicsDhananjay Goel
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpaJeevesh Pandey
 
InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresKarwin Software Solutions LLC
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 

More Related Content

What's hot

SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Oracle sql high performance tuning
Oracle sql high performance tuningOracle sql high performance tuning
Oracle sql high performance tuningGuy Harrison
 
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander ZaitsevClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander ZaitsevAltinity Ltd
 
Client-side JavaScript
Client-side JavaScriptClient-side JavaScript
Client-side JavaScriptLilia Sfaxi
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 

What's hot (20)

Sql injection
Sql injectionSql injection
Sql injection
 
Sql Antipatterns Strike Back
Sql Antipatterns Strike BackSql Antipatterns Strike Back
Sql Antipatterns Strike Back
 
Chapter 4 Structured Query Language
Chapter 4 Structured Query LanguageChapter 4 Structured Query Language
Chapter 4 Structured Query Language
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Oracle sql high performance tuning
Oracle sql high performance tuningOracle sql high performance tuning
Oracle sql high performance tuning
 
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander ZaitsevClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
 
Client-side JavaScript
Client-side JavaScriptClient-side JavaScript
Client-side JavaScript
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
How to Use JSON in MySQL Wrong
How to Use JSON in MySQL WrongHow to Use JSON in MySQL Wrong
How to Use JSON in MySQL Wrong
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Oracle SQL Basics
Oracle SQL BasicsOracle SQL Basics
Oracle SQL Basics
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpa
 

Viewers also liked

SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 

Viewers also liked (20)

InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick Figures
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
How to Design Indexes, Really
How to Design Indexes, ReallyHow to Design Indexes, Really
How to Design Indexes, Really
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql query patterns, optimized
Sql query patterns, optimizedSql query patterns, optimized
Sql query patterns, optimized
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Mentor Your Indexes
Mentor Your IndexesMentor Your Indexes
Mentor Your Indexes
 
Survey of Percona Toolkit
Survey of Percona ToolkitSurvey of Percona Toolkit
Survey of Percona Toolkit
 
Extensible Data Modeling
Extensible Data ModelingExtensible Data Modeling
Extensible Data Modeling
 
SQL Outer Joins for Fun and Profit
SQL Outer Joins for Fun and ProfitSQL Outer Joins for Fun and Profit
SQL Outer Joins for Fun and Profit
 
Models for hierarchical data
Models for hierarchical dataModels for hierarchical data
Models for hierarchical data
 
Schemadoc
SchemadocSchemadoc
Schemadoc
 
Requirements the Last Bottleneck
Requirements the Last BottleneckRequirements the Last Bottleneck
Requirements the Last Bottleneck
 
Percona toolkit
Percona toolkitPercona toolkit
Percona toolkit
 
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB StatusMySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB Status
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Practical Object Oriented Models In Sql
Practical Object Oriented Models In SqlPractical Object Oriented Models In Sql
Practical Object Oriented Models In Sql
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 

Similar to Sql Injection Myths and Fallacies

03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-onAndrea Valenza
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Colin O'Dell
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better SecurityColin O'Dell
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLkobaitari
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHPDave Ross
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application SecurityMahmud Ahsan
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Top 5 Magento Secure Coding Best Practices
Top 5 Magento Secure Coding Best PracticesTop 5 Magento Secure Coding Best Practices
Top 5 Magento Secure Coding Best PracticesOleksandr Zarichnyi
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Unit testing with zend framework tek11
Unit testing with zend framework tek11Unit testing with zend framework tek11
Unit testing with zend framework tek11Michelangelo van Dam
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
 
8 sql injection
8 sql injection8 sql injection
8 sql injectiondrewz lin
 

Similar to Sql Injection Myths and Fallacies (20)

SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQL
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
Top 5 Magento Secure Coding Best Practices
Top 5 Magento Secure Coding Best PracticesTop 5 Magento Secure Coding Best Practices
Top 5 Magento Secure Coding Best Practices
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Unit testing with zend framework tek11
Unit testing with zend framework tek11Unit testing with zend framework tek11
Unit testing with zend framework tek11
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
 
8 sql injection
8 sql injection8 sql injection
8 sql injection
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Sql Injection Myths and Fallacies

  • 1. SQL INJECTION MYTHS AND FALLACIES Bill Karwin
  • 2. ME • Software developer • C, Java, Perl, PHP, Ruby, SQL • Author of SQL Antipatterns: 
 Avoiding the Pitfalls of Database Programming
  • 3. WHAT IS SQL INJECTION? http://example.com/show.php?bugid=1234 SELECT * FROM Bugs 
 WHERE bug_id = $_GET['bugid'] user input
  • 4. WHAT IS SQL INJECTION? http://example.com/show.php?bugid=1234 ORTRUE SELECT * FROM Bugs 
 WHERE bug_id = 1234 ORTRUE unintended logic
  • 5. WORSE SQL INJECTION http://example.com/changepass.php?acctid=1234
 &pass=xyzzy UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id
  • 6. WORSE SQL INJECTION http://example.com/changepass.php?acctid=1234 ORTRUE
 &pass=xyzzy'), admin=('1 UPDATE Accounts 
 SET password = SHA2('xyzzy'), admin=('1')
 WHERE account_id = 1234 ORTRUE changes password for all accounts changes account to administrator
  • 7. MYTHS AND FALLACIES Based on a grain of truth, 
 but derives a wrong conclusion Based on a false assumption, 
 but derives a logical conclusion MYTH FALLACY
  • 8. MYTH “SQL Injection is an old problem―so I don’t have to worry about it.” MYTH
  • 9. ARCHOS • Christmas 2014 • “French smartphone maker Archos was compromised by a SQL injection attack last Christmas, resulting in the leak of up to 100,000 customer details.” • http://www.scmagazineuk.com/up-to-100k-archos-customers-compromised-by-sql-injection-attack/article/395642/
  • 10. WORDPRESS • February 2015 • “One Million WordPress WebsitesVulnerable to SQL Injection Attack” • http://www.tripwire.com/state-of-security/latest-security-news/one-million-wordpress-websites-vulnerable-to-sql-injection-attack/
  • 11. DRUPAL • March 2015 • “Drupal SQL injection vulnerability attacks persist, despite patch release” • http://www.scmagazine.com/trustwave-details-drupal-sql-injection-attack/article/404719/
  • 12. MYTH “Escaping input 
 prevents SQL injection.” MYTH
  • 13. ESCAPING & FILTERING http://example.com/changepass.php?acctid=1234 ORTRUE
 &pass=xyzzy'), admin=('1 UPDATE Accounts 
 SET password = SHA2('xyzzy'), admin=('1')
 WHERE account_id = 1234 coerced to 
 integer backslash escapes special characters
  • 14. ESCAPING & FILTERING FUNCTIONS <?php $password = $_POST["password"];
 $password_escaped = mysqli_real_escape_string($password); $id = (int) $_POST["account"]; $sql = "UPDATE Accounts
 SET password = SHA2(‘{$password_escaped}’)
 WHERE account_id = {$id}"; mysql_query($sql);
  • 15. ESCAPING & FILTERING FUNCTIONS <?php $password = $_POST["password"];
 $password_quoted = $pdo->quote($password); $id = filter_input(INPUT_POST, "account", 
 FILTER_SANITIZE_NUMBER_INT); $sql = "UPDATE Accounts
 SET password = SHA2( {$password_quoted} )
 WHERE account_id = {$id}"; $pdo->query($sql);
  • 16. IDENTIFIERS AND KEYWORDS <?php $column = $_GET["order"];
 $column_delimited = $pdo->FUNCTION?($column); $direction = $_GET["dir"]; $sql = "SELECT * FROM Bugs
 ORDER BY {$column_delimited} {$direction}"; $pdo->query($sql); no API to support delimited identifiers keywords get no quoting
  • 17. MYTH “If some escaping is good, more must be better.” MYTH
  • 18. OVERKILL? <?php function sanitize($string){     
   $string = strip_tags($string); 
   $string = htmlspecialchars($string);
   $string = trim(rtrim(ltrim($string))); 
   $string = mysql_real_escape_string($string);
   return $string;
 } $password = sanitize( $_POST["password"] ); real function from 
 a user’s project
  • 20. JUSTTHE ONE WILL DO <?php $password = mysqli_real_escape_string( 
 $_POST["password"] ); mysqli_query("UPDATE Users 
 SET password = '$password' 
 WHERE user_id = $user_id");
  • 21. MYTH “I can write my own 
 escaping function.” MYTH
  • 22. PLEASE DON’T • http://example.org/login.php?account=%bf%27 OR 'x'='x • $account = addslashes($_REQUEST(“account”)); • addslashes() sees a single-quote (%27) and inserts backslash (%5c). Result:
 %bf%5c%27 OR 'x'='x valid multi-byte character in GBK: 縗 single-quote
  • 23. GRANT ACCESSTO ANY ACCOUNT • Interpolating: SELECT * FROM Accounts 
 WHERE account = '{$account}' 
 AND password = '{$passwd}' • Results in: SELECT * FROM Accounts 
 WHERE account = '縗' OR 'x'= 'x' 
 AND password = 'xyzzy' • http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string • http://bugs.mysql.com/bug.php?id=8378
  • 24. SOLUTIONS • Use driver-provided escaping functions: • mysqli::real_escape_string() • PDO::quote() • Use API functions to set the client character set: • mysqli::set_charset() • http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html • Use UTF-8 instead of GBK, SJIS, etc.
  • 25. MYTH “Unsafe data comes from users―if it’s already in the database, then it’s safe.” MYTH
  • 26. NOT NECESSARILY $sql = "SELECT product_name FROM Products";
 $prodname = $pdo->query($sql)->fetchColumn(); $sql = "SELECT * FROM Bugs 
 WHERE MATCH(summary, description) 
 AGAINST ('{$prodname}')"; not safe input
  • 27. FALLACY “Using stored procedures prevents SQL Injection.” FALLACY
  • 28. STATIC SQL IN PROCEDURES CREATE PROCEDURE FindBugById (IN bugid INT)
 BEGIN
 SELECT * FROM Bugs WHERE bug_id = bugid;
 END CALL FindByBugId(1234) filtering by data type is a good thing
  • 29. DYNAMIC SQL IN PROCEDURES CREATE PROCEDURE BugsOrderBy
 (IN column_nameVARCHAR(100), 
 IN directionVARCHAR(4))
 BEGIN
 SET @query = CONCAT(
 'SELECT * FROM Bugs ORDER BY ', 
 column_name, ' ', direction);
 PREPARE stmt FROM @query;
 EXECUTE stmt;
 END CALL BugsOrderBy('date_reported', 'DESC') interpolating arbitrary strings = SQL injection
  • 30. WORTHY OFTHEDAILYWTF CREATE PROCEDURE QueryAnyTable
 (IN table_nameVARCHAR(100))
 BEGIN
 SET @query = CONCAT(
 'SELECT * FROM ', table_name);
 PREPARE stmt FROM @query;
 EXECUTE stmt;
 END CALL QueryAnyTable( '(SELECT * FROM ...)' ) http://thedailywtf.com/Articles/For-the-Ease-of-Maintenance.aspx
  • 32. DENIAL OF SERVICE SELECT * FROM Bugs JOIN Bugs 
 JOIN Bugs JOIN Bugs JOIN Bugs 
 JOIN Bugs
 100 bugs = 1 trillion rows
  • 33. DENIAL OF SERVICE SELECT * FROM Bugs JOIN Bugs 
 JOIN Bugs JOIN Bugs JOIN Bugs 
 JOIN Bugs 
 ORDER BY 1 still requires only SELECT privilege
  • 34. JUST ASKING FOR IT http://www.example.com/show.php?
 query=SELECT%20*%20FROM%20Bugs
  • 35. FALLACY “It’s just an intranet application―it doesn’t 
 need to be secure.” FALLACY
  • 37. WHAT STAYS ONTHE INTRANET? • You could be told to give business partners access to an internal application UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id
  • 38. WHAT STAYS ONTHE INTRANET? • Your casual code could be copied & pasted into external applications UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id
  • 39. WHAT STAYS ONTHE INTRANET? • It’s hard to argue for a security review or rewrite for a “finished” application $$$ UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id ?
  • 40. MYTH “My framework 
 prevents SQL Injection.” MYTH
  • 41. ORMS ALLOW CUSTOM SQL • Dynamic SQL always risks SQL Injection, 
 for example Rails ActiveRecord: Bugs.all(
 :joins => "JOIN Accounts 
 ON reported_by = account_id",
 
 :order => "date_reported DESC"
 ) any custom SQL can carry SQL injection
  • 42. WHOSE RESPONSIBILITY? • Security is the application developer’s job • No database, connector, or framework can prevent SQL injection all the time
  • 43. FALLACY “Query parameters do quoting for you.” FALLACY
  • 44. INTERPOLATING DYNAMIC VALUES • Query needs a dynamic value: SELECT * FROM Bugs 
 WHERE bug_id = $_GET['bugid'] user input
  • 45. USING A PARAMETER • Query parameter takes the place of a dynamic value: SELECT * FROM Bugs 
 WHERE bug_id = ? parameter placeholder
  • 46. HOWTHE DATABASE PARSES IT query SELECT FROM WHERE expr-list * simple- table expr bugs parameter
 placeholder ? bug_id =equality
  • 47. HOWTHE DATABASE EXECUTES IT query SELECT FROM WHERE expr-list * simple- table expr bugs 1234 bug_id = parameter
 value equality
  • 50. PREPARE & EXECUTE Client Server parse query send parameters send SQL optimize query execute query return results prepare query execute query repeat with 
 different 
 parameters bind parameters convert to machine- readable form
  • 52. ONE PARAMETER = ONEVALUE SELECT * FROM Bugs 
 WHERE bug_id = ?
  • 53. NOT A LIST OFVALUES SELECT * FROM Bugs 
 WHERE bug_id IN ( ? )
  • 54. NOT ATABLE NAME SELECT * FROM ? 
 WHERE bug_id = 1234
  • 55. NOT A COLUMN NAME SELECT * FROM Bugs 
 ORDER BY ?
  • 56. NOT AN SQL KEYWORD SELECT * FROM Bugs 
 ORDER BY date_reported ?
  • 57. INTERPOLATIONVS. PARAMETERS Scenario Example Value Interpolation Parameter single value ‘1234’ SELECT * FROM Bugs 
 WHERE bug_id = $id SELECT * FROM Bugs 
 WHERE bug_id = ? multiple values ‘1234, 3456, 5678’ SELECT * FROM Bugs 
 WHERE bug_id IN ($list) SELECT * FROM Bugs 
 WHERE bug_id IN ( ?, ?, ? ) table name ‘Bugs’ SELECT * FROM $table 
 WHERE bug_id = 1234 NO column name ‘date_reported’ SELECT * FROM Bugs 
 ORDER BY $column NO other syntax ‘DESC’ SELECT * FROM Bugs 
 ORDER BY date_reported $direction NO
  • 59. EXAMPLE SQL INJECTION http://www.example.com/?order=date_reported&dir=ASC <?php $sortorder = $_GET["order"];
 $direction = $_GET["dir"]; $sql = "SELECT * FROM Bugs 
 ORDER BY {$sortorder} {$direction}"; $stmt = $pdo->query($sql); unsafe inputs SQL Injection
  • 60. FIX WITH A WHITELIST MAP <?php $sortorders = array( "DEFAULT" => "bug_id",
 "status" => "status",
 "date" => "date_reported" ); $directions = array( "DEFAULT" => "ASC",
 "up" => "ASC",
 "down" => "DESC" ); application request values SQL identifiers and keywords
  • 61. MAP USER INPUTTO SAFE SQL <?php $direction = $directions[ $_GET["dir"] ] ?: $directions["DEFAULT"];
  • 62. INTERPOLATE SAFE SQL http://www.example.com/?order=date&dir=up <?php $sql = "SELECT * FROM Bugs 
 ORDER BY {$sortorder} {$direction}"; $stmt = $pdo->query($sql); whitelisted values
  • 63. BENEFITS OF WHITELIST MAPS •Protects against SQL injection in cases where escaping and parameterization doesn’t help. •Decouples web interface from database schema. •Uses simple, declarative technique. •Works independently of any framework.
  • 64. FALLACY “Queries parameters 
 hurt SQL performance.” FALLACY
  • 67. MYTH “A proxy/firewall solution 
 prevents SQL injection.” MYTH
  • 68. ORACLE DATABASE FIREWALL • Reverse proxy between application and Oracle •Whitelist of known SQL queries •Learns legitimate queries from application traffic •Blocks unknown SQL queries •Also supports Microsoft SQL Server, IBM DB2, Sybase ASE, SQL Anywhere • http://www.oracle.com/technetwork/database/database-firewall/overview/index.html
  • 69. GREENSQL • Reverse proxy for MySQL, PostgreSQL, Microsoft SQL Server • Detects / reports / blocks “suspicious” queries: •Access to sensitive tables •Comments inside SQL commands •An ‘or’ token inside a query •An SQL expression that always returns true • http://www.greensql.net/about
  • 70. STILL NOT PERFECT • Vipin Samar, Oracle vice president of Database Security: • “Database Firewall is a good first layer of defense for databases but it won't protect you from everything,” 
 http://www.databasejournal.com/features/oracle/article.php/3924691/article.htm • GreenSQL Architecture • “GreenSQL can sometimes generate false positive and false negative errors.As a result, some legal queries may be blocked or the GreenSQL system may pass through an illegal query undetected.”
 http://www.greensql.net/about
  • 71. LIMITATIONS OF PROXY SOLUTIONS •False sense of security; discourages code review •Gating factor for emergency code deployment •Constrains application from writing dynamic SQL •Doesn’t stop SQL injection in Stored Procedures
  • 72. FALLACY “NoSQL databases are immune to SQL injection.” FALLACY
  • 73. “NOSQL INJECTION” http://www.example.com?column=password <?php $map = new MongoCode("function() { 
 emit(this." . $_GET["column"] . ",1); 
 } "); $data = $db->command( array(
 "mapreduce" => "Users",
 "map" => $map
 ) ); any string-interpolation of untrusted content
 is Code Injection
  • 74. NOSQL INJECTION INTHE WILD • Diaspora wrote MongoDB map/reduce functions dynamically from Ruby on Rails: • def self.search(query)
 Person.all('$where' => "function() { 
 return this.diaspora_handle.match(/^#{query}/i) ||
 this.profile.first_name.match(/^#{query}/i) ||
 this.profile.last_name.match(/^#{query}/i); }")
 end • http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/ did query come from a trusted source?
  • 75. MYTHS AND FALLACIES • I don’t have to worry anymore • Escaping is the fix • More escaping is better • I can code an escaping function • Only user input is unsafe • Stored procs are the fix • SQL privileges are the fix • My app doesn’t need security • Frameworks are the fix • Parameters quote for you • Parameters are the fix • Parameters make queries slow • SQL proxies are the fix • NoSQL databases are the fix there is no single silver bullet—
 use all defenses when appropriate
  • 77. LICENSE AND COPYRIGHT Copyright 2010-2015 Bill Karwin www.slideshare.net/billkarwin Released under a Creative Commons 3.0 License: 
 http://creativecommons.org/licenses/by-nc-nd/3.0/ You are free to share - to copy, distribute and 
 transmit this work, under the following conditions: Attribution. 
 You must attribute this work to Bill Karwin. Noncommercial. 
 You may not use this work for commercial purposes. No Derivative Works. 
 You may not alter, transform, or build upon this work.