Which is Worse: H1N1 or SQL Injection?
By David Dorf on Sep 02, 2009
Today Michael Barnett, one of the engineers at Oracle Retail that worked on our PA-DSS (PCI) certification, sent an email to R&D that said:
SQL Injection has regained the lead as the most popular of Web attacks, including Heartland, Hannaford Bros., and 7-11. Good refresher article on how to prevent it.
As we all know, security is an ongoing process so I was glad to see that R&D continues to monitor developments. Along with your swine flu shot, you better make sure your web sites are protected as well.It occurred to me that some retailers may not know what SQL Injection is, so I thought I'd take a minute to explain. When I used to write checks, I'd write out the amount then draw a line through the rest of the area, presumably to prevent an unscrupulous person from adding "and a million dollars." That's not too far off from SQL Injection. A field on a web page that asks for your name, for example, could be appended with "and list all the other people in the database."
How, you ask? Applications talk to the database using SQL, a database programming language. In the application code, it says something like
SELECT birthdate FROM customer_tbl WHERE name = '$NAME';
The $NAME is a variable that represents what was entered on the web page by the user. Imagine you enter "John Doe'; select * from customer_tbl where 1=1" in the name field on the web page. Now the query looks like:
SELECT birthdate FROM customer_tbl WHERE name = 'John Doe';select * from customer_tbl where 1=1;
Using that technique along with a bunch of smart guesses and a hacker can do all sorts of things like crash the system or steal data.
SQL Injection can be prevented by using prepared statements (a database feature) and/or validating fields to ensure no unexpected characters are entered.
If you want to learn more, check out this excellent example of a SQL Injection attack.
There's also a great tutorial on Defending Against SQL Injection Attacks that Oracle provides.