Friday, April 8, 2016

SQL string concatenation + unchecked user input = SQL injection

SQL injection is a way for attackers to compromise your database by sending input that causes your query to run SQL code rather than just transferring data.

If you're developing a program that you think might be vulnerable to SQL injection, you can look for two things that together signal a vulnerability:

  1. String concatenation - the dynamic construction of SQL commands. The S stands for Structured, which means you shouldn't treat the commands as normal text; they have special structure. There may be a better way to accomplish what you're after without operating on text. For example, parameterization is a solid way to pass any data into a query safely.
  2. Unchecked, untrusted user input to the function that builds the SQL query. If you're sure that a procedure will only be called on trusted data (like from other procedures you create that don't take user input), it doesn't really matter whether your own application can do bad things to itself. Functions that do accept possibly-hostile input should either paramaterize queries or implement some really solid escaping (which is harder than you'd think).
If you only have stored procedures, a good key phrase to check for (at least on SQL Anywhere) is EXECUTE IMMEDIATE.

No comments:

Post a Comment