SQL injection is still out there as an attack. It worked against Twin America LLC
, and it was only discovered this past October, after hundreds of thousands of records were stolen. It's a well known ploy - you take advantage of web sites that have a form for inputting information. If a site doesn't employ techniques to nullify SQL injection, an attacker can easily see your entire database, which often includes usernames, passwords, and account information, or worse, download the information and then destroy the database.
Two common areas that are potentially open to attack are unfiltered escape characters, and poor type handling. In an unfiltered web form, a form variable is plugged directly into a SQL statement. If I crafted just the right input, I could potentially append my own SQL clause to the one being executed. The classic example is:SELECT * FROM user_table WHERE username = ' " + username + " ';"
If instead of a valid username, I entered ' or '1=1
, I'd now be running this statement:SELECT * FROM user_table WHERE username = ' ' OR '1'='1';
The OR '1' = '1'
clause will always evaluate to true, retrieving all columns from the user table.
A second potential hole exists if the programmer does not check for type constraints. If a SQL statement is expecting a number, the input to supply that variable should be checked to make sure it truly is a number. Again, like the trick above, I could insert an entirely new statement like DROP TABLE user_table
after entering a number into a form. The back end would then execute whatever statement I presented to it.
There are several techniques to protect a Web application from these types of attacks, including the use of parameterized statements, or even escaping characters that have a special meaning in SQL. But programmers have to be diligent about adding this protection, because hackers will find even the smallest hole and take advantage of it.
Biscom spends its time worried about these types of hacks, so you don't have to. Countless penetration tests have proven our security model. We think our customers want a secure file transfer solution that is actually secure.