RSSTim Kridel
Strike Back at SQL Injections
What do Lady Gaga, PBS and the British Royal Navy have in common?
They all own websites that were hacked over the past two years by structured query language (SQL) injections.
Although the IT world has understood the methods and vulnerabilities for years, the attacks continue to increase for many reasons -- including the arrival of tools that enable hackers to automate some of their processes.
To help enterprises and other organizations avoid becoming the next victim, we sought out Paul Litwin, programmer manager at the Fred Hutchinson Cancer Research Center in Seattle and owner of Deep Training, a .NET training company.
Here's his advice for identifying and thwarting SQL injection attacks.
Q: Give us an example of how simply entering a malformed SQL statement in a website's textbox gives a hacker access to an underlying database.
Litwin: Many applications use a form to authenticate users. For example, in a typical insecure ASP.NET application, when a user clicks a login button, a method might authenticate that user by running a query. This query might calculate the number of records in a database table that match the username and password entered in the form's textbox controls.
By entering text that seems harmless, such as "Or 1=1 --," it's possible for a hacker to form a syntactically correct query. For example, this might be the query behind the ASP.NET page:
string strQry = "SELECT Count(*) FROM Users WHERE UserName='" +
txtUser.Text + "' AND Password='" + txtPassword.Text + "'";
Now, when a "good" user enters a name of "Paul" and a password of "password," strQry becomes:
SELECT Count(*) FROM Users WHERE UserName='Paul' AND Password='password'
But when the hacker enters "' Or 1=1 --" the query instead becomes:
SELECT Count(*) FROM Users WHERE UserName=" Or 1=1 --' AND Password='"
And because in SQL, a pair of hyphens indicate the beginning of a comment, the query becomes:
SELECT Count(*) FROM Users WHERE UserName=" Or 1=1
But the expression 1=1 is always true for every table row, and a true expression or'd with another expression will always come back as true. So if there's at least one row in the table, this SQL will always produce a nonzero record count and get the hacker authenticated into the application.
Q: Is SQL Server the only product that's vulnerable to SQL injection attacks?
Litwin: No. DB2, Oracle, MySQL and Sybase are examples of other databases that are equally vulnerable. That's because the SQL language has several features that are designed to make it powerful and flexible, but these also create risks. One example is the ability to use a pair of hyphens to embed comments in an SQL statement. Another is the ability to string together multiple SQL statements and then batch-execute them.
Basically, the more powerful the SQL dialect, the more vulnerable that database is. That's why SQL Server is so frequently targeted.
And keep in mind that SQL injection attacks target more than just ASP.NET applications. Classic ASP, Java, JSP, Ruby on Rails and PHP applications, and even desktop applications, are vulnerable too.
Q: What do you recommend for preventing SQL injection attacks?
Litwin: First and foremost, implement multiple layers of protection. That way, if one safeguard is breached, others still stand in the hacker's way.
Here are five tips:
1. Don't trust user input -- ever.
Use validation controls, regular expressions, code and other methods to validate every single textbox entry.
2. Avoid dynamic SQL.
Instead, use parameterized SQL or stored procedures.
3. Never link a database to an admin-level account.
Always use a limited access account to connect to the database.
4. Encrypt or hash passwords and connection strings.
Never leave this kind of sensitive information as plain text.
5. Keep error messages at a high level.
The more information those messages have, the more clues they can provide to hackers.
For more tips, check out Paul Litwin's article
"Stop SQL Injection Attacks Before They Stop You."
Photo Credit: @iStockphoto.com/kr7ysztof
Tim Kridel has been covering all things tech and telecom since 1998 for a variety of publications and analyst firms. Based in Columbia, Mo., he still enjoys the childhood hobby that led to a career writing about technology: ham radio.
Twitter: @ihavenet
- Steve Jobs: 5 Secrets of Success
- Apple's Steve Jobs: Not Quite Henry Ford
- One Thing Steve Jobs Couldn't Change: Our Mortality
- The Next Disruptive Technologies
- Apple's New MacBook Air
- 3 Gadgets That Transformed Business
- Facebook Reaches One Trillion Hits
- 4 Ways to Save on Gadgets
- Cell Phone Radiation: 5 Ways to Minimize It Now
- How to Choose the Right Tablet
- 5 Cool Apps for Your Labor Day Weekend
- 4G LTE: Not So Fast
- What Can the Cloud Do For You?
- Ubiquitous Computing: Is Ubicomp at a Tipping Point?
- Strike Back at SQL Injections
- The Mob That New Technology Has Made
- Social Networking Leads to Smoking, Drinking and Drug Use
- Cloud 101: Are You a PC, Mac or Cloud?
- Can You Get Fired for Your Blog Posts?
- Should You Switch to Google+ ?
- Navigate the Booming Computer Science Market
- China Outpaces United States in PC Market
- How Apple's iCloud Changes Business
- Use the Cloud to Go Mobile
- Apple iPad 2: A Smarter Business Tool
- Why You Can't Ignore iPhone / iPad Security
- Should You Let Your Teens Blog?
- Should You Talk Politics Online?
- How to Watch TV for Free -- or Close to It
- The Cost of Paying for Netflix
- Future for Slates, Tablets and iPads
- Social Media and Privacy (or Lack Thereof)
- Small Business Video: Life After the Flip
- Is It Safe to Post Photos Online?
- 9 Ways to Avoid Online Scams
- LinkedIn Offers New Options for Students
- 4 Strategies to Avert Virtual Arguments
- Cloud Computing 101: Protect Yourself Online
- How to Recover From a Social Media Mistake
- Why You Should Inventory Business Cloud Use
- Emerging Technology Has Positive Impact in Classroom
- 4 Apps to Manage Your Contacts
- Portable Tech Gadgets You Need This Summer
- Best Tablets for Your Business
- Security Tips for Your Smartphone or Tablet
- 5 New Cloud Tools You'll Love
- Can a Tablet Replace Your Laptop?
- Why Wireless Needs a Network of Networks
- 5 Steps to a Successful Enterprise Wireless Strategy
- 5 Keys for Moving Enterprise Security to the Cloud
- Tips for Building and Deploying Cloud-based Apps
- 5 Business Lessons You Can Learn From Mark Zuckerberg
- Russia: The No. 1 Base of Global Internet Attacks
- Researchers Say New Botnet TDL-4 Poses Big Threat
- The Internet Grows Up
- Ten Ways to Keep Your Online Information Secure
- How Facebook and Your Free Time Can Get You Fired
- The Only 10 Android Health Apps You Need
- Connected TV
- Near-Field Communication Technology the Next Big Thing
- The Future of 3-D Video
- Is Your Teen Sexting?
- Should You Ban Your Tweens From Facebook?
- Home Movies: Then and Now
- Is Social Media Malware Infecting Your Business?
- Is Your Tween (Illegally) on Facebook?
- Are Free Public Wi-Fi Networks Safe?
- Explosion of Creativity: Power of Online Communities
- The Future According to Google
- 5 Cheap Alternatives to Hiring a Personal Trainer
- When Your Dream Company is Hiring on Twitter
- Colleges Bring Campuses to Facebook
- Technology Powers Revolutions and Saves Lives
- Best Photo Apps
- Virtual World No Substitute for Real One
- Best Phone Apps for Busy Women
- How to Prevent Identity Theft
- How to Use Facebook So It Does not Use You
- Worst-case Computer Scenarios
- Google Chrome OS Notebook: A Security Game Changer?
- What Is Cloud Computing?
- How to Prevent Data Breaches
- Best Tips for Sharing Videos
- Do You Need an iPad for Your Small Business?
- The App Guide: 5 Must-have Shopping Apps
- Project Management Tips From the Pros
- Finding the Right Skill Set
- Who's Gawking at Your Photos?
- Dealing With Virtual Stalking
- CES 2011 Report - Consumer Electronics Show
- Time to Gear up for 3-D TV?
- How to Get the Best Service From IT Vendors
- Dating Apps: The Lowdown
- New Website Streamlines College-Aid Application
- Gift-card Resale Market Thrives Online
- Stop Cyberbullying Now!
- 5 Cloud Tools to Boost Your Productivity
- Mobile Pay Can Give You an Edge
- How to Find the Best Deals Online
- Should You 'Friend' Your Teens Online?
- Should You Really Post That Comment?
- 5 Smart Tactics for LinkedIn Self-Promotion
- How Repressive Regimes Use the Internet to Keep Power
- WikiLeaks: Diplomacy as Usual
- The Rising Threat of USB Drives
- Integrate Cloud Solutions With Caution
- Tech Solutions to Track Your Resolutions
- Crash Course in Computer Maintenance
- How to Pick the Right Cloud Provider
- Web Tools for Starting a Small Business
- 4 Life-changing Resolutions You Can Stick to
- Create Your Own Social Network
- What the Web Says About You
- FTC Chairman: 'Do Not Track' Rules Would Help Web Thrive
- 'Do Not Track' Rules Would Put a Stop to the Internet As We Know It
- Are Federal 'Do Not Track' Rules Needed?
- The Political Power of Social Media
- Top 3 Kid-safe Social Networks
- 5 Ways to Cultivate Your Kids' Online Reputation
- Preparing Our Children for Global Digital Citizenship Success
- The Great E-reader Roundup
- The NFL's Highest-scoring Apps
- New Gadgets Straight From the Big Screen
- A Game Plan for Protecting Stored Data
- The Drive for Real-time Collaboration
- Hang Onto People Who'll Help You Advance
- Leading New Developments in Visual Computing
- Meet Mr. Industrial: Justin Lassen's Music Machine
- Must-see TV on the Internet
- Share Safely on Social Networks
- 6 Essential Rules for Safe Online Shopping
- Five Steps to Kid-friendly Surfing
- High-tech Help for Weight Loss
- Create a Web Site or Blog for Your Family
- Video Eyewear for Sunglass Cinema
- Smart Phone Apps Help Stop Distracted Driving
- Online Computer Backup Services Remove Hassle
Copyright © 2011 Studio One Networks. All rights reserved.