Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Database
    • Database
    • IT Management
    • Servers

    Is SQL Injection Still a Major Security Threat?

    By
    eWEEK EDITORS
    -
    September 25, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Q: What exactly is SQL injection?
      A: SQL injection is a type of attack that targets Web sites backed by a relational database such as Microsoft SQL Server, Oracle or MySQL. The database might be doing nothing more complicated than capturing user names and passwords, or it might be executing full-blown sales transactions.

      Q: Who is vulnerable to SQL injection?
      A: Hundreds of thousands of sites around the world are potentially vulnerable to SQL injection if they dont properly defend against it.

      Q: How does SQL injection work?
      A: The way it works is very simple. An improperly programmed Web form can inadvertently allow data and executable code to get mixed up. Suppose the site has a page where a user has to type in some data-maybe just a user name, a blog comment, or a description of an item for sale. A hacker can hijack a data entry field on this Web form by entering a value that is completely different in type from what the programmer intended. For example, SQL uses the single quote character () as an escape character. This tells the database that whatever comes next is no longer data but executable code. All the hacker has to do is insert a piece of live SQL after the escape character. The database engine will see that code and think it is expected to execute it. In that way it can be tricked into performing a task of the hackers choice-perhaps inserting fictitious values into the database or retrieving data the hacker shouldnt see, or even maliciously deleting an entire table.

      Q: How can sites protect themselves against SQL injection?
      A: The best defense is to design your database-backed Web site properly to make sure it always separates SQL code and user data. You basically have a choice between programming tools that are specifically designed to prevent you from making this kind of mistake and those that allow you to get into trouble if youre not careful. Roughly speaking, this corresponds to the difference between the newer Microsoft .Net tools and their older tools or open source frameworks like PHP. The pre-.Net Microsoft tools in particular were very vulnerable to attack and at the same time very easy to use. You had a lot of people building Web sites with them who really had no clue how to defend themselves from attackers. Since then Microsoft has rearchitected its products and the current generation of .Net tools makes it much more difficult to expose yourself to SQL injection unless you do something really strange.

      Q: Are you saying that sites built with open source tools like PHP are more vulnerable to SQL injection attacks than sites built with .Net?
      A: Its a question of mentality. Microsofts mindset is to fix things in such a way that the user doesnt have so much control and is therefore less vulnerable. The open source tools like PHP have a different philosophy. They assume that users know what they are doing and want to be free of constraints, so these tools let users do what they want but at their own risk. The open source tools assume that developers these days are aware of the threat of SQL injection and will do the right thing.

      Q: Is it fair to say that the risk of SQL injection is greater for older web sites?
      A: Yes.

      Q: Whats so hard about remediating the vulnerabilities in older sites?
      A: You can certainly do it. But retraining the developers who built the old sites is often a big problem. Perhaps you went out in 2002 and hired a bunch of college kids to build your site. The college kids applied what they had just learned in college, which at that time didnt include protecting themselves from things like SQL injection. Now fast forward five years to 2007 and the college kids you hired in 2002 havent learned anything new. They have to be retrained to use the newer tools. Or else you have to go out and hire new college kids, who will apply what they have just learned in college, but will themselves have to be retrained five years down the road. It always comes down to a question of education.

      eWEEK EDITORS
      eWeek editors publish top thought leaders and leading experts in emerging technology across a wide variety of Enterprise B2B sectors. Our focus is providing actionable information for today’s technology decision makers.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×