SlideShare a Scribd company logo
SQL INJECTION
MYTHS AND FALLACIES
Bill Karwin
ME
• Software developer
• C, Java, Perl, PHP, Ruby, SQL
• Author of SQL Antipatterns: 

Avoiding the Pitfalls of Database Programming
WHAT IS SQL INJECTION?
http://example.com/show.php?bugid=1234
SELECT * FROM Bugs 

WHERE bug_id = $_GET['bugid']
user input
WHAT IS SQL INJECTION?
http://example.com/show.php?bugid=1234 ORTRUE
SELECT * FROM Bugs 

WHERE bug_id = 1234 ORTRUE
unintended
logic
WORSE SQL INJECTION
http://example.com/changepass.php?acctid=1234

&pass=xyzzy
UPDATE Accounts 

SET password = SHA2('$password')

WHERE account_id = $account_id
WORSE SQL INJECTION
http://example.com/changepass.php?acctid=1234 ORTRUE

&pass=xyzzy'), admin=('1
UPDATE Accounts 

SET password = SHA2('xyzzy'), admin=('1')

WHERE account_id = 1234 ORTRUE
changes password
for all accounts
changes account to
administrator
MYTHS AND FALLACIES
Based on a grain of truth, 

but derives a wrong conclusion
Based on a false assumption, 

but derives a logical conclusion
MYTH
FALLACY
MYTH
“SQL Injection is an old
problem―so I don’t have to
worry about it.”
MYTH
ARCHOS
• Christmas 2014
• “French smartphone maker Archos was
compromised by a SQL injection attack last
Christmas, resulting in the leak of up to 100,000
customer details.”
• http://www.scmagazineuk.com/up-to-100k-archos-customers-compromised-by-sql-injection-attack/article/395642/
WORDPRESS
• February 2015
• “One Million WordPress WebsitesVulnerable to
SQL Injection Attack”
• http://www.tripwire.com/state-of-security/latest-security-news/one-million-wordpress-websites-vulnerable-to-sql-injection-attack/
DRUPAL
• March 2015
• “Drupal SQL injection vulnerability attacks
persist, despite patch release”
• http://www.scmagazine.com/trustwave-details-drupal-sql-injection-attack/article/404719/
MYTH
“Escaping input 

prevents SQL injection.”
MYTH
ESCAPING & FILTERING
http://example.com/changepass.php?acctid=1234 ORTRUE

&pass=xyzzy'), admin=('1
UPDATE Accounts 

SET password = SHA2('xyzzy'), admin=('1')

WHERE account_id = 1234
coerced to 

integer
backslash escapes
special characters
ESCAPING & FILTERING
FUNCTIONS
<?php
$password = $_POST["password"];

$password_escaped = mysqli_real_escape_string($password);
$id = (int) $_POST["account"];
$sql = "UPDATE Accounts

SET password = SHA2(‘{$password_escaped}’)

WHERE account_id = {$id}";
mysql_query($sql);
ESCAPING & FILTERING
FUNCTIONS
<?php
$password = $_POST["password"];

$password_quoted = $pdo->quote($password);
$id = filter_input(INPUT_POST, "account", 

FILTER_SANITIZE_NUMBER_INT);
$sql = "UPDATE Accounts

SET password = SHA2( {$password_quoted} )

WHERE account_id = {$id}";
$pdo->query($sql);
IDENTIFIERS AND KEYWORDS
<?php
$column = $_GET["order"];

$column_delimited = $pdo->FUNCTION?($column);
$direction = $_GET["dir"];
$sql = "SELECT * FROM Bugs

ORDER BY {$column_delimited} {$direction}";
$pdo->query($sql);
no API to support
delimited identifiers
keywords get no
quoting
MYTH
“If some escaping is good, more
must be better.”
MYTH
OVERKILL?
<?php
function sanitize($string){     

  $string = strip_tags($string); 

  $string = htmlspecialchars($string);

  $string = trim(rtrim(ltrim($string))); 

  $string = mysql_real_escape_string($string);

  return $string;

}
$password = sanitize( $_POST["password"] );
real function from 

a user’s project
“FIRE EVERYTHING!!”
JUSTTHE ONE WILL DO
<?php
$password = mysqli_real_escape_string( 

$_POST["password"] );
mysqli_query("UPDATE Users 

SET password = '$password' 

WHERE user_id = $user_id");
MYTH
“I can write my own 

escaping function.”
MYTH
PLEASE DON’T
• http://example.org/login.php?account=%bf%27 OR 'x'='x
• $account = addslashes($_REQUEST(“account”));
• addslashes() sees a single-quote (%27) and inserts
backslash (%5c). Result:

%bf%5c%27 OR 'x'='x
valid multi-byte
character in GBK: 縗
single-quote
GRANT ACCESSTO ANY
ACCOUNT
• Interpolating:
SELECT * FROM Accounts 

WHERE account = '{$account}' 

AND password = '{$passwd}'
• Results in:
SELECT * FROM Accounts 

WHERE account = '縗' OR 'x'= 'x' 

AND password = 'xyzzy'
• http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
• http://bugs.mysql.com/bug.php?id=8378
SOLUTIONS
• Use driver-provided escaping functions:
• mysqli::real_escape_string()
• PDO::quote()
• Use API functions to set the client character set:
• mysqli::set_charset()
• http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
• Use UTF-8 instead of GBK, SJIS, etc.
MYTH
“Unsafe data comes from
users―if it’s already in the
database, then it’s safe.”
MYTH
NOT NECESSARILY
$sql = "SELECT product_name FROM Products";

$prodname = $pdo->query($sql)->fetchColumn();
$sql = "SELECT * FROM Bugs 

WHERE MATCH(summary, description) 

AGAINST ('{$prodname}')";
not safe input
FALLACY
“Using stored procedures
prevents SQL Injection.”
FALLACY
STATIC SQL IN PROCEDURES
CREATE PROCEDURE FindBugById (IN bugid INT)

BEGIN

SELECT * FROM Bugs WHERE bug_id = bugid;

END
CALL FindByBugId(1234)
filtering by data type is a
good thing
DYNAMIC SQL IN
PROCEDURES
CREATE PROCEDURE BugsOrderBy

(IN column_nameVARCHAR(100), 

IN directionVARCHAR(4))

BEGIN

SET @query = CONCAT(

'SELECT * FROM Bugs ORDER BY ', 

column_name, ' ', direction);

PREPARE stmt FROM @query;

EXECUTE stmt;

END
CALL BugsOrderBy('date_reported', 'DESC')
interpolating arbitrary strings
= SQL injection
WORTHY OFTHEDAILYWTF
CREATE PROCEDURE QueryAnyTable

(IN table_nameVARCHAR(100))

BEGIN

SET @query = CONCAT(

'SELECT * FROM ', table_name);

PREPARE stmt FROM @query;

EXECUTE stmt;

END
CALL QueryAnyTable( '(SELECT * FROM ...)' )
http://thedailywtf.com/Articles/For-the-Ease-of-Maintenance.aspx
MYTH
“Conservative SQL privileges
limit the damage.”
MYTH
DENIAL OF SERVICE
SELECT * FROM Bugs JOIN Bugs 

JOIN Bugs JOIN Bugs JOIN Bugs 

JOIN Bugs

100 bugs = 1 trillion rows
DENIAL OF SERVICE
SELECT * FROM Bugs JOIN Bugs 

JOIN Bugs JOIN Bugs JOIN Bugs 

JOIN Bugs 

ORDER BY 1
still requires only
SELECT privilege
JUST ASKING FOR IT
http://www.example.com/show.php?

query=SELECT%20*%20FROM%20Bugs
FALLACY
“It’s just an intranet
application―it doesn’t 

need to be secure.”
FALLACY
JUST ASKTHIS MANAGER
WHAT STAYS ONTHE
INTRANET?
• You could be told to give business partners access
to an internal application
UPDATE Accounts 

SET password =
SHA2('$password')

WHERE account_id =
$account_id
WHAT STAYS ONTHE
INTRANET?
• Your casual code could be copied & pasted into
external applications
UPDATE Accounts 

SET password =
SHA2('$password')

WHERE account_id =
$account_id
UPDATE Accounts 

SET password =
SHA2('$password')

WHERE account_id =
$account_id
WHAT STAYS ONTHE
INTRANET?
• It’s hard to argue for a security review or rewrite
for a “finished” application
$$$
UPDATE Accounts 

SET password =
SHA2('$password')

WHERE account_id =
$account_id
?
MYTH
“My framework 

prevents SQL Injection.”
MYTH
ORMS ALLOW CUSTOM SQL
• Dynamic SQL always risks SQL Injection, 

for example Rails ActiveRecord:
Bugs.all(

:joins => "JOIN Accounts 

ON reported_by = account_id",



:order => "date_reported DESC"

)
any custom SQL can carry
SQL injection
WHOSE RESPONSIBILITY?
• Security is the application developer’s job
• No database, connector, or framework can
prevent SQL injection all the time
FALLACY
“Query parameters do quoting
for you.”
FALLACY
INTERPOLATING DYNAMIC
VALUES
• Query needs a dynamic value:
SELECT * FROM Bugs 

WHERE bug_id = $_GET['bugid']
user input
USING A PARAMETER
• Query parameter takes the place of a dynamic
value:
SELECT * FROM Bugs 

WHERE bug_id = ?
parameter
placeholder
HOWTHE DATABASE PARSES IT
query
SELECT
FROM
WHERE
expr-list *
simple-
table
expr
bugs
parameter

placeholder
?
bug_id
=equality
HOWTHE DATABASE EXECUTES IT
query
SELECT
FROM
WHERE
expr-list *
simple-
table
expr
bugs
1234
bug_id
=
parameter

value
equality
INTERPOLATION
query
SELECT
FROM
WHERE
expr-list *
simple-
table
expr
1234
bugs
bug_id
=
TRUE
OR
SQL injection
equality
PARAMETERIZATION
query
SELECT
FROM
WHERE
expr-list *
simple-
table
expr
bugs
1234
OR
TRUE
bug_id
=
no parameter

can change the tree
equality
PREPARE & EXECUTE
Client Server
parse query
send parameters
send SQL
optimize query
execute query
return results
prepare query
execute query
repeat with 

different 

parameters
bind parameters
convert to machine-
readable form
MYTH
“Query parameters prevent
SQL Injection.”
MYTH
ONE PARAMETER = ONEVALUE
SELECT * FROM Bugs 

WHERE bug_id = ?
NOT A LIST OFVALUES
SELECT * FROM Bugs 

WHERE bug_id IN ( ? )
NOT ATABLE NAME
SELECT * FROM ? 

WHERE bug_id = 1234
NOT A COLUMN NAME
SELECT * FROM Bugs 

ORDER BY ?
NOT AN SQL KEYWORD
SELECT * FROM Bugs 

ORDER BY date_reported ?
INTERPOLATIONVS. PARAMETERS
Scenario Example Value Interpolation Parameter
single value ‘1234’
SELECT * FROM Bugs 

WHERE bug_id = $id
SELECT * FROM Bugs 

WHERE bug_id = ?
multiple
values
‘1234, 3456, 5678’
SELECT * FROM Bugs 

WHERE bug_id IN ($list)
SELECT * FROM Bugs 

WHERE bug_id IN ( ?, ?, ? )
table name ‘Bugs’
SELECT * FROM $table 

WHERE bug_id = 1234
NO
column name ‘date_reported’
SELECT * FROM Bugs 

ORDER BY $column
NO
other syntax ‘DESC’
SELECT * FROM Bugs 

ORDER BY
date_reported $direction
NO
SOLUTION
Whitelist Maps
SOLUTION
EXAMPLE SQL INJECTION
http://www.example.com/?order=date_reported&dir=ASC
<?php
$sortorder = $_GET["order"];

$direction = $_GET["dir"];
$sql = "SELECT * FROM Bugs 

ORDER BY {$sortorder} {$direction}";
$stmt = $pdo->query($sql);
unsafe inputs
SQL Injection
FIX WITH A WHITELIST MAP
<?php
$sortorders = array( "DEFAULT" => "bug_id",

"status" => "status",

"date" => "date_reported" );
$directions = array( "DEFAULT" => "ASC",

"up" => "ASC",

"down" => "DESC" );
application request
values
SQL identifiers and
keywords
MAP USER INPUTTO SAFE
SQL
<?php
$direction = $directions[ $_GET["dir"] ] ?: $directions["DEFAULT"];
INTERPOLATE SAFE SQL
http://www.example.com/?order=date&dir=up
<?php
$sql = "SELECT * FROM Bugs 

ORDER BY {$sortorder} {$direction}";
$stmt = $pdo->query($sql);
whitelisted values
BENEFITS OF WHITELIST MAPS
•Protects against SQL injection in cases where
escaping and parameterization doesn’t help.
•Decouples web interface from database schema.
•Uses simple, declarative technique.
•Works independently of any framework.
FALLACY
“Queries parameters 

hurt SQL performance.”
FALLACY
SIMPLE QUERY
Profiled Elapsed
COMPLEX QUERY
Profiled Elapsed
MYTH
“A proxy/firewall solution 

prevents SQL injection.”
MYTH
ORACLE DATABASE FIREWALL
• Reverse proxy between application and Oracle
•Whitelist of known SQL queries
•Learns legitimate queries from application traffic
•Blocks unknown SQL queries
•Also supports Microsoft SQL Server, IBM DB2, Sybase ASE,
SQL Anywhere
• http://www.oracle.com/technetwork/database/database-firewall/overview/index.html
GREENSQL
• Reverse proxy for MySQL, PostgreSQL, Microsoft SQL Server
• Detects / reports / blocks “suspicious” queries:
•Access to sensitive tables
•Comments inside SQL commands
•An ‘or’ token inside a query
•An SQL expression that always returns true
• http://www.greensql.net/about
STILL NOT PERFECT
• Vipin Samar, Oracle vice president of Database Security:
• “Database Firewall is a good first layer of defense for databases but it
won't protect you from everything,” 

http://www.databasejournal.com/features/oracle/article.php/3924691/article.htm
• GreenSQL Architecture
• “GreenSQL can sometimes generate false positive and false negative
errors.As a result, some legal queries may be blocked or the
GreenSQL system may pass through an illegal query undetected.”

http://www.greensql.net/about
LIMITATIONS OF PROXY
SOLUTIONS
•False sense of security; discourages code review
•Gating factor for emergency code deployment
•Constrains application from writing dynamic SQL
•Doesn’t stop SQL injection in Stored Procedures
FALLACY
“NoSQL databases are immune
to SQL injection.”
FALLACY
“NOSQL INJECTION”
http://www.example.com?column=password
<?php
$map = new MongoCode("function() { 

emit(this." . $_GET["column"] . ",1); 

} ");
$data = $db->command( array(

"mapreduce" => "Users",

"map" => $map

) );
any string-interpolation of
untrusted content

is Code Injection
NOSQL INJECTION INTHE
WILD
• Diaspora wrote MongoDB map/reduce functions dynamically from Ruby on Rails:
• def self.search(query)

Person.all('$where' => "function() { 

return this.diaspora_handle.match(/^#{query}/i) ||

this.profile.first_name.match(/^#{query}/i) ||

this.profile.last_name.match(/^#{query}/i); }")

end
• http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/
did query come from a
trusted source?
MYTHS AND FALLACIES
• I don’t have to worry anymore
• Escaping is the fix
• More escaping is better
• I can code an escaping function
• Only user input is unsafe
• Stored procs are the fix
• SQL privileges are the fix
• My app doesn’t need security
• Frameworks are the fix
• Parameters quote for you
• Parameters are the fix
• Parameters make queries slow
• SQL proxies are the fix
• NoSQL databases are the fix
there is no single silver bullet—

use all defenses when appropriate
SQL ANTIPATTERNS
http://www.pragprog.com/titles/bksqla/
LICENSE AND COPYRIGHT
Copyright 2010-2015 Bill Karwin
www.slideshare.net/billkarwin
Released under a Creative Commons 3.0 License: 

http://creativecommons.org/licenses/by-nc-nd/3.0/
You are free to share - to copy, distribute and 

transmit this work, under the following conditions:
Attribution. 

You must attribute this work to Bill
Karwin.
Noncommercial. 

You may not use this work for
commercial purposes.
No Derivative Works. 

You may not alter, transform, or build
upon this work.

More Related Content

What's hot

Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
Dzmitry Naskou
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
Jesus Perez Franco
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
Aju Thomas
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
ASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with OverviewASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with Overview
Shahed Chowdhuri
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
VMware Tanzu
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A  Heads UpSQLMAP Tool Usage - A  Heads Up
SQLMAP Tool Usage - A Heads Up
Mindfire Solutions
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 

What's hot (20)

Sql injection
Sql injectionSql injection
Sql injection
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Sql injection
Sql injectionSql injection
Sql injection
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
ASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with OverviewASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with Overview
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A  Heads UpSQLMAP Tool Usage - A  Heads Up
SQLMAP Tool Usage - A Heads Up
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 

Viewers also liked

InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick Figures
Karwin Software Solutions LLC
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
How to Design Indexes, Really
How to Design Indexes, ReallyHow to Design Indexes, Really
How to Design Indexes, Really
Karwin Software Solutions LLC
 
Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
Sql query patterns, optimized
Sql query patterns, optimizedSql query patterns, optimized
Sql query patterns, optimized
Karwin Software Solutions LLC
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Marios Siganos
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
Sql Antipatterns Strike Back
Sql Antipatterns Strike BackSql Antipatterns Strike Back
Sql Antipatterns Strike Back
Karwin Software Solutions LLC
 
Mentor Your Indexes
Mentor Your IndexesMentor Your Indexes
Mentor Your Indexes
Karwin Software Solutions LLC
 
Survey of Percona Toolkit
Survey of Percona ToolkitSurvey of Percona Toolkit
Survey of Percona Toolkit
Karwin Software Solutions LLC
 
Extensible Data Modeling
Extensible Data ModelingExtensible Data Modeling
Extensible Data Modeling
Karwin Software Solutions LLC
 
SQL Outer Joins for Fun and Profit
SQL Outer Joins for Fun and ProfitSQL Outer Joins for Fun and Profit
SQL Outer Joins for Fun and Profit
Karwin Software Solutions LLC
 
Models for hierarchical data
Models for hierarchical dataModels for hierarchical data
Models for hierarchical data
Karwin Software Solutions LLC
 
Schemadoc
SchemadocSchemadoc
Requirements the Last Bottleneck
Requirements the Last BottleneckRequirements the Last Bottleneck
Requirements the Last Bottleneck
Karwin Software Solutions LLC
 
Percona toolkit
Percona toolkitPercona toolkit
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB StatusMySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB Status
Karwin Software Solutions LLC
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 

Viewers also liked (20)

InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick Figures
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
How to Design Indexes, Really
How to Design Indexes, ReallyHow to Design Indexes, Really
How to Design Indexes, Really
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql query patterns, optimized
Sql query patterns, optimizedSql query patterns, optimized
Sql query patterns, optimized
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Antipatterns Strike Back
Sql Antipatterns Strike BackSql Antipatterns Strike Back
Sql Antipatterns Strike Back
 
Mentor Your Indexes
Mentor Your IndexesMentor Your Indexes
Mentor Your Indexes
 
Survey of Percona Toolkit
Survey of Percona ToolkitSurvey of Percona Toolkit
Survey of Percona Toolkit
 
Extensible Data Modeling
Extensible Data ModelingExtensible Data Modeling
Extensible Data Modeling
 
SQL Outer Joins for Fun and Profit
SQL Outer Joins for Fun and ProfitSQL Outer Joins for Fun and Profit
SQL Outer Joins for Fun and Profit
 
Models for hierarchical data
Models for hierarchical dataModels for hierarchical data
Models for hierarchical data
 
Schemadoc
SchemadocSchemadoc
Schemadoc
 
Requirements the Last Bottleneck
Requirements the Last BottleneckRequirements the Last Bottleneck
Requirements the Last Bottleneck
 
Percona toolkit
Percona toolkitPercona toolkit
Percona toolkit
 
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB StatusMySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB Status
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 

Similar to Sql Injection Myths and Fallacies

SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
Compare Infobase Limited
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
Eoin Keary
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
Andrea Valenza
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
Colin O'Dell
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Colin O'Dell
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
Colin O'Dell
 
Php Security - OWASP
Php  Security - OWASPPhp  Security - OWASP
Php Security - OWASP
Mizno Kruge
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQL
kobaitari
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
Dave Ross
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
Mahmud Ahsan
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
Top 5 Magento Secure Coding Best Practices
Top 5 Magento Secure Coding Best PracticesTop 5 Magento Secure Coding Best Practices
Top 5 Magento Secure Coding Best Practices
Oleksandr Zarichnyi
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
Tjylen Veselyj
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
amiable_indian
 
Unit testing with zend framework tek11
Unit testing with zend framework tek11Unit testing with zend framework tek11
Unit testing with zend framework tek11
Michelangelo van Dam
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
Colin O'Dell
 
8 sql injection
8   sql injection8   sql injection
8 sql injection
drewz lin
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
Felipe Prado
 

Similar to Sql Injection Myths and Fallacies (20)

SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
 
Php Security - OWASP
Php  Security - OWASPPhp  Security - OWASP
Php Security - OWASP
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQL
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
Top 5 Magento Secure Coding Best Practices
Top 5 Magento Secure Coding Best PracticesTop 5 Magento Secure Coding Best Practices
Top 5 Magento Secure Coding Best Practices
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Unit testing with zend framework tek11
Unit testing with zend framework tek11Unit testing with zend framework tek11
Unit testing with zend framework tek11
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
 
8 sql injection
8   sql injection8   sql injection
8 sql injection
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 

Recently uploaded

Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 

Recently uploaded (20)

Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 

Sql Injection Myths and Fallacies

  • 1. SQL INJECTION MYTHS AND FALLACIES Bill Karwin
  • 2. ME • Software developer • C, Java, Perl, PHP, Ruby, SQL • Author of SQL Antipatterns: 
 Avoiding the Pitfalls of Database Programming
  • 3. WHAT IS SQL INJECTION? http://example.com/show.php?bugid=1234 SELECT * FROM Bugs 
 WHERE bug_id = $_GET['bugid'] user input
  • 4. WHAT IS SQL INJECTION? http://example.com/show.php?bugid=1234 ORTRUE SELECT * FROM Bugs 
 WHERE bug_id = 1234 ORTRUE unintended logic
  • 5. WORSE SQL INJECTION http://example.com/changepass.php?acctid=1234
 &pass=xyzzy UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id
  • 6. WORSE SQL INJECTION http://example.com/changepass.php?acctid=1234 ORTRUE
 &pass=xyzzy'), admin=('1 UPDATE Accounts 
 SET password = SHA2('xyzzy'), admin=('1')
 WHERE account_id = 1234 ORTRUE changes password for all accounts changes account to administrator
  • 7. MYTHS AND FALLACIES Based on a grain of truth, 
 but derives a wrong conclusion Based on a false assumption, 
 but derives a logical conclusion MYTH FALLACY
  • 8. MYTH “SQL Injection is an old problem―so I don’t have to worry about it.” MYTH
  • 9. ARCHOS • Christmas 2014 • “French smartphone maker Archos was compromised by a SQL injection attack last Christmas, resulting in the leak of up to 100,000 customer details.” • http://www.scmagazineuk.com/up-to-100k-archos-customers-compromised-by-sql-injection-attack/article/395642/
  • 10. WORDPRESS • February 2015 • “One Million WordPress WebsitesVulnerable to SQL Injection Attack” • http://www.tripwire.com/state-of-security/latest-security-news/one-million-wordpress-websites-vulnerable-to-sql-injection-attack/
  • 11. DRUPAL • March 2015 • “Drupal SQL injection vulnerability attacks persist, despite patch release” • http://www.scmagazine.com/trustwave-details-drupal-sql-injection-attack/article/404719/
  • 12. MYTH “Escaping input 
 prevents SQL injection.” MYTH
  • 13. ESCAPING & FILTERING http://example.com/changepass.php?acctid=1234 ORTRUE
 &pass=xyzzy'), admin=('1 UPDATE Accounts 
 SET password = SHA2('xyzzy'), admin=('1')
 WHERE account_id = 1234 coerced to 
 integer backslash escapes special characters
  • 14. ESCAPING & FILTERING FUNCTIONS <?php $password = $_POST["password"];
 $password_escaped = mysqli_real_escape_string($password); $id = (int) $_POST["account"]; $sql = "UPDATE Accounts
 SET password = SHA2(‘{$password_escaped}’)
 WHERE account_id = {$id}"; mysql_query($sql);
  • 15. ESCAPING & FILTERING FUNCTIONS <?php $password = $_POST["password"];
 $password_quoted = $pdo->quote($password); $id = filter_input(INPUT_POST, "account", 
 FILTER_SANITIZE_NUMBER_INT); $sql = "UPDATE Accounts
 SET password = SHA2( {$password_quoted} )
 WHERE account_id = {$id}"; $pdo->query($sql);
  • 16. IDENTIFIERS AND KEYWORDS <?php $column = $_GET["order"];
 $column_delimited = $pdo->FUNCTION?($column); $direction = $_GET["dir"]; $sql = "SELECT * FROM Bugs
 ORDER BY {$column_delimited} {$direction}"; $pdo->query($sql); no API to support delimited identifiers keywords get no quoting
  • 17. MYTH “If some escaping is good, more must be better.” MYTH
  • 18. OVERKILL? <?php function sanitize($string){     
   $string = strip_tags($string); 
   $string = htmlspecialchars($string);
   $string = trim(rtrim(ltrim($string))); 
   $string = mysql_real_escape_string($string);
   return $string;
 } $password = sanitize( $_POST["password"] ); real function from 
 a user’s project
  • 20. JUSTTHE ONE WILL DO <?php $password = mysqli_real_escape_string( 
 $_POST["password"] ); mysqli_query("UPDATE Users 
 SET password = '$password' 
 WHERE user_id = $user_id");
  • 21. MYTH “I can write my own 
 escaping function.” MYTH
  • 22. PLEASE DON’T • http://example.org/login.php?account=%bf%27 OR 'x'='x • $account = addslashes($_REQUEST(“account”)); • addslashes() sees a single-quote (%27) and inserts backslash (%5c). Result:
 %bf%5c%27 OR 'x'='x valid multi-byte character in GBK: 縗 single-quote
  • 23. GRANT ACCESSTO ANY ACCOUNT • Interpolating: SELECT * FROM Accounts 
 WHERE account = '{$account}' 
 AND password = '{$passwd}' • Results in: SELECT * FROM Accounts 
 WHERE account = '縗' OR 'x'= 'x' 
 AND password = 'xyzzy' • http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string • http://bugs.mysql.com/bug.php?id=8378
  • 24. SOLUTIONS • Use driver-provided escaping functions: • mysqli::real_escape_string() • PDO::quote() • Use API functions to set the client character set: • mysqli::set_charset() • http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html • Use UTF-8 instead of GBK, SJIS, etc.
  • 25. MYTH “Unsafe data comes from users―if it’s already in the database, then it’s safe.” MYTH
  • 26. NOT NECESSARILY $sql = "SELECT product_name FROM Products";
 $prodname = $pdo->query($sql)->fetchColumn(); $sql = "SELECT * FROM Bugs 
 WHERE MATCH(summary, description) 
 AGAINST ('{$prodname}')"; not safe input
  • 27. FALLACY “Using stored procedures prevents SQL Injection.” FALLACY
  • 28. STATIC SQL IN PROCEDURES CREATE PROCEDURE FindBugById (IN bugid INT)
 BEGIN
 SELECT * FROM Bugs WHERE bug_id = bugid;
 END CALL FindByBugId(1234) filtering by data type is a good thing
  • 29. DYNAMIC SQL IN PROCEDURES CREATE PROCEDURE BugsOrderBy
 (IN column_nameVARCHAR(100), 
 IN directionVARCHAR(4))
 BEGIN
 SET @query = CONCAT(
 'SELECT * FROM Bugs ORDER BY ', 
 column_name, ' ', direction);
 PREPARE stmt FROM @query;
 EXECUTE stmt;
 END CALL BugsOrderBy('date_reported', 'DESC') interpolating arbitrary strings = SQL injection
  • 30. WORTHY OFTHEDAILYWTF CREATE PROCEDURE QueryAnyTable
 (IN table_nameVARCHAR(100))
 BEGIN
 SET @query = CONCAT(
 'SELECT * FROM ', table_name);
 PREPARE stmt FROM @query;
 EXECUTE stmt;
 END CALL QueryAnyTable( '(SELECT * FROM ...)' ) http://thedailywtf.com/Articles/For-the-Ease-of-Maintenance.aspx
  • 32. DENIAL OF SERVICE SELECT * FROM Bugs JOIN Bugs 
 JOIN Bugs JOIN Bugs JOIN Bugs 
 JOIN Bugs
 100 bugs = 1 trillion rows
  • 33. DENIAL OF SERVICE SELECT * FROM Bugs JOIN Bugs 
 JOIN Bugs JOIN Bugs JOIN Bugs 
 JOIN Bugs 
 ORDER BY 1 still requires only SELECT privilege
  • 34. JUST ASKING FOR IT http://www.example.com/show.php?
 query=SELECT%20*%20FROM%20Bugs
  • 35. FALLACY “It’s just an intranet application―it doesn’t 
 need to be secure.” FALLACY
  • 37. WHAT STAYS ONTHE INTRANET? • You could be told to give business partners access to an internal application UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id
  • 38. WHAT STAYS ONTHE INTRANET? • Your casual code could be copied & pasted into external applications UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id
  • 39. WHAT STAYS ONTHE INTRANET? • It’s hard to argue for a security review or rewrite for a “finished” application $$$ UPDATE Accounts 
 SET password = SHA2('$password')
 WHERE account_id = $account_id ?
  • 40. MYTH “My framework 
 prevents SQL Injection.” MYTH
  • 41. ORMS ALLOW CUSTOM SQL • Dynamic SQL always risks SQL Injection, 
 for example Rails ActiveRecord: Bugs.all(
 :joins => "JOIN Accounts 
 ON reported_by = account_id",
 
 :order => "date_reported DESC"
 ) any custom SQL can carry SQL injection
  • 42. WHOSE RESPONSIBILITY? • Security is the application developer’s job • No database, connector, or framework can prevent SQL injection all the time
  • 43. FALLACY “Query parameters do quoting for you.” FALLACY
  • 44. INTERPOLATING DYNAMIC VALUES • Query needs a dynamic value: SELECT * FROM Bugs 
 WHERE bug_id = $_GET['bugid'] user input
  • 45. USING A PARAMETER • Query parameter takes the place of a dynamic value: SELECT * FROM Bugs 
 WHERE bug_id = ? parameter placeholder
  • 46. HOWTHE DATABASE PARSES IT query SELECT FROM WHERE expr-list * simple- table expr bugs parameter
 placeholder ? bug_id =equality
  • 47. HOWTHE DATABASE EXECUTES IT query SELECT FROM WHERE expr-list * simple- table expr bugs 1234 bug_id = parameter
 value equality
  • 50. PREPARE & EXECUTE Client Server parse query send parameters send SQL optimize query execute query return results prepare query execute query repeat with 
 different 
 parameters bind parameters convert to machine- readable form
  • 52. ONE PARAMETER = ONEVALUE SELECT * FROM Bugs 
 WHERE bug_id = ?
  • 53. NOT A LIST OFVALUES SELECT * FROM Bugs 
 WHERE bug_id IN ( ? )
  • 54. NOT ATABLE NAME SELECT * FROM ? 
 WHERE bug_id = 1234
  • 55. NOT A COLUMN NAME SELECT * FROM Bugs 
 ORDER BY ?
  • 56. NOT AN SQL KEYWORD SELECT * FROM Bugs 
 ORDER BY date_reported ?
  • 57. INTERPOLATIONVS. PARAMETERS Scenario Example Value Interpolation Parameter single value ‘1234’ SELECT * FROM Bugs 
 WHERE bug_id = $id SELECT * FROM Bugs 
 WHERE bug_id = ? multiple values ‘1234, 3456, 5678’ SELECT * FROM Bugs 
 WHERE bug_id IN ($list) SELECT * FROM Bugs 
 WHERE bug_id IN ( ?, ?, ? ) table name ‘Bugs’ SELECT * FROM $table 
 WHERE bug_id = 1234 NO column name ‘date_reported’ SELECT * FROM Bugs 
 ORDER BY $column NO other syntax ‘DESC’ SELECT * FROM Bugs 
 ORDER BY date_reported $direction NO
  • 59. EXAMPLE SQL INJECTION http://www.example.com/?order=date_reported&dir=ASC <?php $sortorder = $_GET["order"];
 $direction = $_GET["dir"]; $sql = "SELECT * FROM Bugs 
 ORDER BY {$sortorder} {$direction}"; $stmt = $pdo->query($sql); unsafe inputs SQL Injection
  • 60. FIX WITH A WHITELIST MAP <?php $sortorders = array( "DEFAULT" => "bug_id",
 "status" => "status",
 "date" => "date_reported" ); $directions = array( "DEFAULT" => "ASC",
 "up" => "ASC",
 "down" => "DESC" ); application request values SQL identifiers and keywords
  • 61. MAP USER INPUTTO SAFE SQL <?php $direction = $directions[ $_GET["dir"] ] ?: $directions["DEFAULT"];
  • 62. INTERPOLATE SAFE SQL http://www.example.com/?order=date&dir=up <?php $sql = "SELECT * FROM Bugs 
 ORDER BY {$sortorder} {$direction}"; $stmt = $pdo->query($sql); whitelisted values
  • 63. BENEFITS OF WHITELIST MAPS •Protects against SQL injection in cases where escaping and parameterization doesn’t help. •Decouples web interface from database schema. •Uses simple, declarative technique. •Works independently of any framework.
  • 64. FALLACY “Queries parameters 
 hurt SQL performance.” FALLACY
  • 67. MYTH “A proxy/firewall solution 
 prevents SQL injection.” MYTH
  • 68. ORACLE DATABASE FIREWALL • Reverse proxy between application and Oracle •Whitelist of known SQL queries •Learns legitimate queries from application traffic •Blocks unknown SQL queries •Also supports Microsoft SQL Server, IBM DB2, Sybase ASE, SQL Anywhere • http://www.oracle.com/technetwork/database/database-firewall/overview/index.html
  • 69. GREENSQL • Reverse proxy for MySQL, PostgreSQL, Microsoft SQL Server • Detects / reports / blocks “suspicious” queries: •Access to sensitive tables •Comments inside SQL commands •An ‘or’ token inside a query •An SQL expression that always returns true • http://www.greensql.net/about
  • 70. STILL NOT PERFECT • Vipin Samar, Oracle vice president of Database Security: • “Database Firewall is a good first layer of defense for databases but it won't protect you from everything,” 
 http://www.databasejournal.com/features/oracle/article.php/3924691/article.htm • GreenSQL Architecture • “GreenSQL can sometimes generate false positive and false negative errors.As a result, some legal queries may be blocked or the GreenSQL system may pass through an illegal query undetected.”
 http://www.greensql.net/about
  • 71. LIMITATIONS OF PROXY SOLUTIONS •False sense of security; discourages code review •Gating factor for emergency code deployment •Constrains application from writing dynamic SQL •Doesn’t stop SQL injection in Stored Procedures
  • 72. FALLACY “NoSQL databases are immune to SQL injection.” FALLACY
  • 73. “NOSQL INJECTION” http://www.example.com?column=password <?php $map = new MongoCode("function() { 
 emit(this." . $_GET["column"] . ",1); 
 } "); $data = $db->command( array(
 "mapreduce" => "Users",
 "map" => $map
 ) ); any string-interpolation of untrusted content
 is Code Injection
  • 74. NOSQL INJECTION INTHE WILD • Diaspora wrote MongoDB map/reduce functions dynamically from Ruby on Rails: • def self.search(query)
 Person.all('$where' => "function() { 
 return this.diaspora_handle.match(/^#{query}/i) ||
 this.profile.first_name.match(/^#{query}/i) ||
 this.profile.last_name.match(/^#{query}/i); }")
 end • http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/ did query come from a trusted source?
  • 75. MYTHS AND FALLACIES • I don’t have to worry anymore • Escaping is the fix • More escaping is better • I can code an escaping function • Only user input is unsafe • Stored procs are the fix • SQL privileges are the fix • My app doesn’t need security • Frameworks are the fix • Parameters quote for you • Parameters are the fix • Parameters make queries slow • SQL proxies are the fix • NoSQL databases are the fix there is no single silver bullet—
 use all defenses when appropriate
  • 77. LICENSE AND COPYRIGHT Copyright 2010-2015 Bill Karwin www.slideshare.net/billkarwin Released under a Creative Commons 3.0 License: 
 http://creativecommons.org/licenses/by-nc-nd/3.0/ You are free to share - to copy, distribute and 
 transmit this work, under the following conditions: Attribution. 
 You must attribute this work to Bill Karwin. Noncommercial. 
 You may not use this work for commercial purposes. No Derivative Works. 
 You may not alter, transform, or build upon this work.