Is SQL Injection Still a Major Security Threat?

Robert Graham, CEO of Errata Security, explains SQL injection, a technique criminal hackers could use to compromise Web site databases.

Q: What exactly is SQL injection?
A: SQL injection is a type of attack that targets Web sites backed by a relational database such as Microsoft SQL Server, Oracle or MySQL. The database might be doing nothing more complicated than capturing user names and passwords, or it might be executing full-blown sales transactions.

Q: Who is vulnerable to SQL injection?
A: Hundreds of thousands of sites around the world are potentially vulnerable to SQL injection if they dont properly defend against it.

Q: How does SQL injection work?
A: The way it works is very simple. An improperly programmed Web form can inadvertently allow data and executable code to get mixed up. Suppose the site has a page where a user has to type in some data-maybe just a user name, a blog comment, or a description of an item for sale. A hacker can hijack a data entry field on this Web form by entering a value that is completely different in type from what the programmer intended. For example, SQL uses the single quote character () as an escape character. This tells the database that whatever comes next is no longer data but executable code. All the hacker has to do is insert a piece of live SQL after the escape character. The database engine will see that code and think it is expected to execute it. In that way it can be tricked into performing a task of the hackers choice-perhaps inserting fictitious values into the database or retrieving data the hacker shouldnt see, or even maliciously deleting an entire table.

Q: How can sites protect themselves against SQL injection?
A: The best defense is to design your database-backed Web site properly to make sure it always separates SQL code and user data. You basically have a choice between programming tools that are specifically designed to prevent you from making this kind of mistake and those that allow you to get into trouble if youre not careful. Roughly speaking, this corresponds to the difference between the newer Microsoft .Net tools and their older tools or open source frameworks like PHP. The pre-.Net Microsoft tools in particular were very vulnerable to attack and at the same time very easy to use. You had a lot of people building Web sites with them who really had no clue how to defend themselves from attackers. Since then Microsoft has rearchitected its products and the current generation of .Net tools makes it much more difficult to expose yourself to SQL injection unless you do something really strange.

Q: Are you saying that sites built with open source tools like PHP are more vulnerable to SQL injection attacks than sites built with .Net?
A: Its a question of mentality. Microsofts mindset is to fix things in such a way that the user doesnt have so much control and is therefore less vulnerable. The open source tools like PHP have a different philosophy. They assume that users know what they are doing and want to be free of constraints, so these tools let users do what they want but at their own risk. The open source tools assume that developers these days are aware of the threat of SQL injection and will do the right thing.

Q: Is it fair to say that the risk of SQL injection is greater for older web sites?
A: Yes.

Q: Whats so hard about remediating the vulnerabilities in older sites?
A: You can certainly do it. But retraining the developers who built the old sites is often a big problem. Perhaps you went out in 2002 and hired a bunch of college kids to build your site. The college kids applied what they had just learned in college, which at that time didnt include protecting themselves from things like SQL injection. Now fast forward five years to 2007 and the college kids you hired in 2002 havent learned anything new. They have to be retrained to use the newer tools. Or else you have to go out and hire new college kids, who will apply what they have just learned in college, but will themselves have to be retrained five years down the road. It always comes down to a question of education.