Talk:SQL injection

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing  (Rated Start-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.
 
WikiProject Databases / Computer science  (Rated Start-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Databases, a collaborative effort to improve the coverage of database related articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as Low-importance).
 

First section "Forms and Validity" has several problems[edit]

  • Title of this section does not make sense
  • contents seem like the cut and paste of headings from another article
  • "Interacting with Sql Injection" Is not a thing
  • the last bullet is not a separate form, but a description of tools used.
  • SQLIA is not used as an abbreviation anywhere. SQLi is used sometimes, but mostly it is not abbreviated past "SQL injection" — Preceding unsigned comment added by Mcgyver5 (talkcontribs) 23:11, 13 November 2013 (UTC)
  • Validity in the title applies to nothing in the content — Preceding unsigned comment added by Mcgyver5 (talkcontribs) 22:34, 13 November 2013 (UTC)

problem with quote[edit]

<quote> Sometimes vulnerabilities can exist within the database server software itself, as was the case with the MySQL server's real_escape_chars() functions recently. </quote> This lacks a source, a date, and the version(s) of MySQL effected. I assume it is in reference to CVE-2006-2753, MySQL Bug#8378 (See: http://dev.mysql.com/doc/refman/5.0/en/news-5-0-22.html), but this is a flaw in a database server, not SQL injection. Anyone else believe it should be deleted? —Preceding unsigned comment added by 203.206.98.80 (talkcontribs) 05:37, 6 August 2006

Agree that it should be deleted or expanded

Well, I think the point is that even by follow the best practices against SQL Injection, the escaping functions can still allow it if they have loopholes. So SQL injection is not always the fault of the developer - it can be the fault of the server software too. Also, why in the world is the citation marked "citation needed"????

My 2 cents 76.252.28.95 (talk) —Preceding comment was added at 03:35, 13 January 2008 (UTC)

"incorrectly filtered for string literal escape characters"[edit]

As is incorrect because there is no filtering of escape characters or filtered but not very well? Might be just the way I read this line. iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii — Preceding unsigned comment added by 14.99.164.111 (talk) 17:47, 22 March 2012 (UTC)

MS SQL and quoting[edit]

The statement "On MS SQL Server any valid SQL command may be injected via this method, including the execution of multiple statements" is quite incorrect, at least no more correct than the other languages listed. In most languages you can glue your sql text together and have problems or do the things the right way. In mssql the right way is like

command.commandtext="select * from animals where animal='@animal'"

command.parameters.add(new sqlparameter("@animal", "dog")))

CFQUERYPARAM statement used with CFQUERY statement in ColdFusion as solution[edit]

We have used the CFQUERYPARAM statement in the ColdFusion server-side programming language to protect against SQL injection attacks. Also, one should not store credit card numbers due to liability issues. The Skipjack credit card processing service, for example, gets the card number bounced to them (we never see it), and I would recommend Skipjack, though it requires Javascript be turned on.

Chris-marsh-usa (talk) 00:43, 8 July 2008 (UTC) (employee DTI Associates, a division of Kratos Defense, Inc.)

http://www.forta.com/blog/index.cfm/2005/12/21/SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored

http://kb.adobe.com/selfservice/viewContent.do?externalId=300b670e —Preceding unsigned comment added by Chris-marsh-usa (talkcontribs) 00:46, 8 July 2008 (UTC)

Whitelisting[edit]

"For instance, if you wanted to defend against this attack, you could verify the userid variable to ensure its contents were numeric like so: if(!ctype_digit($userid)){ die("Invalid characters in userid."); }"

The problem is that in this example, we check the type of data in one the host language, i.e. in a language other than SQL. The host language could have notations (e.g. hexadecimal, scientific notation...) in which one could write strings which would pass the numericity test in this language, but would not be numeric in SQL. Apokrif 21:47, 5 September 2007 (UTC)

But in his example he uses ctype_digit which checks if the string consists of digits as oppose to is numerical —Preceding unsigned comment added by 130.88.174.217 (talk) 19:35, 19 January 2008 (UTC)

Link farm[edit]

Yes, I removed a ton of links. No, the number of links removed does not entitle you to automatically revert this edit. I did this in accordance with the wikipedia policies, which were being disregarded here. First, the most obvious: "Wikipedia is not a directory" per WP:NOT. Secondly, most of these links blatantly disrespect the guidelines on what the purpose of external links is, per WP:EXT. Links should be informational. They serve to improve an encyclopedia article by providing information about a topic. Linking to something that merely concerns the same topic in some way is not the same as linking to something that gives a person information about the topic. Wikipedia is not one stop shopping for programming tutorials, guides, and hacking tools. The essay lamenting the fact that is threat is too largely ignored, and the general "what is SQL injection?" link, seem to be fairly good candidates for inclusion. But all the other programmer's guides, as well as the links that seem to be "how to hack a site", need to go and stay gone TheBilly (talk) 01:40, 19 December 2007 (UTC)

Name[edit]

An important thing to research is the history behind SQL Injection. I get what it's name means logically, but who named it such? When were people first aware of this problem etc.? Have there been any big "worms" or "mass-hackings" using this vulnerability.

My Two cents. Gigitrix (talk) 13:12, 5 January 2008 (UTC)

Its never named - description of the attack became a noun since its been so often used. Its been around from like 1995 or so.

-- Anyonymous.  — Preceding unsigned comment added by 94.254.63.56 (talk) 14:45, 25 October 2011 (UTC) 

Microsoft UK site hacked[edit]

The source, which is not of notable reliability, cites another equally unreliable source, who merely SPECULATES that it may have been an SQL injection attack. I think this should be removed.

Straussian (talk) 01:59, 12 January 2008 (UTC)

the IIS6 open source non-commercial tool link[edit]

About this link that me and others have removed several times, and keeps getting re-added [1]. I see no point under Wikipedia:External_links#What_should_be_linked that fits this website that you keep linking. However, a bit lower on the same page, on point 13 of "links that should be avoided" we can read Sites that are only indirectly related to the article's subject: the link should be directly related to the subject of the article. This is an article on SQL injection on general, and your link is a product to stop SQL injection on a certain web server. But this is only one of the reasons for deleting the link. Let's see: it has no encyclopaedic content, it doesn't add anything to the article subject, it promotes a website or product, etc. Also, it has been already reverted by several editors, and you are the only one that thinks that it should stay on the article. For all of this, I ask you to stop adding the link. --Enric Naval (talk) 16:21, 22 March 2008 (UTC)

Reply:
The text is full of references to PHP and Java which is just indirectly related to SQL Injection. However, Internet Information Server is a mainstream Internet Server and a link to an open source tool to clean up SQL Injection for any language (Java, PHP, ASP, ASP.NET, etc) with commented source code seems to be in order and very helpful for SQL Injection professionals and victims. I see relevance and I ask you to stop taking off the link. —Preceding unsigned comment added by March 2008 (UTC)

P.D.:Also, I claim it a link not relevant to the article topic, and I call upon WP:SPAM for being a promotion of a product not relevant to the article's topic and repeatedly re-adding the link and for adding it at the top of the list and not at the bottom, and WP:COI because you seem to be involved personally with this product. Can you point a reason that we should link this product and not link all the other sql-injection-related tools that exist on the world?

(If you are really related to the project, you should update your description with the reasons for not working on ISS 5 because of this comment [2]) --Enric Naval (talk) 17:07, 22 March 2008 (UTC)

Reply: if you find another open source product please let me know. —Preceding unsigned comment added by 71.170.145.248 (talk) 17:35, 22 March 2008 (UTC)

I beg to differ, "being open source" is not a reason for having a link on a wikipedia article, unless you can point me to a specific wikipedia policy that says so. There is recommendations to use open source and free products/informations instead of closed propietary products/informations, but this is not the case since you are not replacing a closed source resource with an open source resource. You are pushing a product, period. --Enric Naval (talk) 17:39, 22 March 2008 (UTC)

Link to UN SQL Vulnerability[edit]

I'm worried about the link to the article about the United Nations page being hacked (Under Real-world examples), because the vulnerability is still there. Though they obviously should have fixed it already, we don't need to encourage people to do more damage. If no none objects, I'll remove the link. Zedlander (talk) 02:08, 26 March 2008 (UTC)

As for the legal responsabilities, the vulnerabilty is already public, we are just linking to a site specialized on hacking that provides an information that is already know to the public. UN web admins have had months to path the vulnerability and have not done it for whatever the reason. I also object to the removal per WP:CENSORED wikipedia is not censored --Enric Naval (talk) 11:40, 26 March 2008 (UTC)
Moot point now, I removed it myself because of not being a notable attack, it seems that it was only reported on that hacking website. --Enric Naval (talk) 21:08, 23 February 2009 (UTC)

Parameterized Queries - PHP example incorrect[edit]

The example given for parameterization in PHP (using sprintf) is incorrect; it uses concatenation of escaped strings rather than parameterization. A correct version (for MySQL) would use the mysqli functions (example adapted from http://www.mattbango.com/articles/prepared-statements-in-php-and-mysqli):

$db = new mysqli(”localhost”, “user”, “pass”, “database”);
$stmt = $mysqli -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();
I added this example and reworded the other one [3] --Enric Naval (talk) 00:13, 25 July 2008 (UTC)

Magic String?[edit]

The section on this subject is a little cryptic. What is it all about? --Dan|(talk) 08:40, 28 January 2009 (UTC)

Magic string seems to work by changing the WHERE clause from
WHERE x = 'y'
to
WHERE x = '' or ''=''
by using ' or ''=' as y. This then gives you every piece of data in the table since '' always equals itself. In a typical insecure user/pass system, this will usually give you the first user since they only fetch the first result that fits (they don't expect multiple users to login simultaneously). Please tidy this up and wikify if you think it helps the article.

Legal Status[edit]

I know wikipedia is NPOV, but it is surely informative to mention the legality of this act? I don;t know the specifics, but i'm pretty sure it's illegal to do in the UK because of it's server side interaction, compared to something like a trivial javascript login. I don't know if this is intent baed or what. The article as it stands presents all the facts, but a user might be lead to try some of these techniques in the field as it were without being informed of the legal facts. —Preceding unsigned comment added by 90.210.148.6 (talk) 20:50, 2 May 2009 (UTC)

Why does escaping or parameterisation work to prevent SQL insertion attack?[edit]

Thank you for an interesting and informative article. I would find it more useful if you could add an explanation as to why the protective measures recommended actually work to prevent an insertion attack, as it does not seem clear to me why they would. Maybe this is obvious to the more informed, but I think the usual reader is coming here because they are not more informed...;-) Anyway, I am. Hansnext (talk) 06:03, 13 June 2009 (UTC)

adding real-world examples[edit]

Please don't add any real-world example that doesn't have WP:V verifiable WP:RS reliable sources.

If you have really hacked a website like neopets.com and obtained all passwords in plain text, then, please, by all means pass these news to "serious" hacking websites like, for example, attrition.org so it's announced also by them, and post the list of passwords somewhere public to see if you make such a escandal that the hacking gets reported by mainstream computing magazines like The Register, Computer World or PCWorld. When that happens then the attack will deserve appearing in that section (until it gets too long and we have to shorten it, but that will be a different question for the future). --Enric Naval (talk) 14:41, 23 July 2009 (UTC)

I would like to clarify a few things over this supposed hacking incident:
  • The Neopets Team has not said anything about this. They may do so when this week's Neopian Times comes out, but the chances of them telling us the truth is next to nothing.
  • One of the richest users on Neopets had his account deactivated on Tuesday and then quickly reactivated the next day. As of now he isn't saying anything, and I don't think he will. There are many, many other accounts that were deactivated on Tuesday and still are deactivated. This is ostensibly because of the SQL injection hacking incident, but anything any regular user on Neopets knows so far is based on little more than hearsay. The only solid proof we have of anything is that many people had their accounts deactivated, and when they asked the Neopets support team for help, TNT claimed that they had self-deactivated their accounts, which did not happen.

I also understand that Wikipedia is not an opinion piece, but the two items that I brought up are true. Clem (talk) 19:41, 23 July 2009 (UTC)

Would the attacks by Anonymous on the HBGary executive Aaron_Barr be deemed notable?136.154.22.22 (talk) 07:35, 11 February 2011 (UTC)

"On October 26, 2005, Unknown Heise Online readers replaced a page owned by the German TV station ARD which advertised a pro-RIAA sitcom with Goatse using SQL injection"[edit]

I deleted that sentence for several reasons: 1) It's mentioned nowhere that Heise Online readers were responsible. Heise was simply a news source to report about it. 2) It was not a pro-RIAA sitcom, just one epsiode in which someone copying music was killed by the artist (as written in that Heise article) 3) It was not even about the RIAA (which doesn't operate in Germany). The GVU were advisors for the scriptwriters in that particular episode. —Preceding unsigned comment added by 92.224.97.155 (talk) 13:57, 16 January 2010 (UTC)

H2 Database Engine[edit]

The claim about the H2 database engine makes no sense to me. Since (with SQL Server for example) you could set up an account that only has access to stored procedures, you could enforce at the database tier for SQL Injection to be impossible. (One step more than enforcing query parameterization). Hogan (talk) 16:11, 18 January 2010 (UTC)

Is it pronounced "Sequel" or "S-Q-L"?[edit]

A pronunciation guide should be added and one pronunciation should be used throughout the article. The article alternates between "An SQL database" and "A SQL database."71.74.144.165 (talk) 15:31, 26 September 2010 (UTC)

Sky news reference[edit]

The Sky News article Super Virus A Target For Cyber Terrorists is about Stuxnet, but they do mention the recent attack against the Royal Navy :
quote :
The Royal Navy's website was shut down on November 5, allegedly by a Romanian hacker.
In my mind it is a reliable reference. Feel free to remove it again if you disagreeBikepunk2 (talk) 21:42, 25 November 2010 (UTC)

OK, I hadn't noticed that it also mentioned the romanian hacker. --Enric Naval (talk) 17:05, 26 November 2010 (UTC)

Lulzsec again...[edit]

They used it on the fbi of all people, succesfully too. Check their twitter. 98.24.154.187 (talk) 21:39, 19 June 2011 (UTC)

Last conditional responses query[edit]

There is no text describing why it is there and the query is returning 1/0, which is a problem in itself. I think it should be removed. However, since I'm not sure why it is there, I'll leave that for someone else to do. 64.196.17.59 (talk) 20:02, 23 June 2011 (UTC)

I agree, since its been over a year I'm deleting it. The other examples are a little better, but lack context and don't even identify what parts of the query are from user input. I've put added some clarify tags. Skrewler (talk) 10:04, 14 November 2012 (UTC)
I've changed it to make it more accessible, giving a very clear example of how blind SQL injections are used. Feedback and criticism welcome. I can continue the example into timing attacks if it's welcome. Aron.Foster (talk) 02:21, 7 December 2012 (UTC)

Mitigation section is too technical[edit]

The first part of this article, explaining the vulnerability and giving examples, is well-written, but the section on mitigation, and especially on “parameterized statements,” is difficult to understand. 69.251.180.224 (talk) 22:59, 26 June 2011 (UTC)

Lead Section[edit]

How's this for a rewrite? Original:

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It happens from using poorly designed query language interpreters. In the wild, it has been noted that applications experience, on average, 71 SQLi attempts an hour. When under direct attack, some applications were occasionally under aggressive attacks and at their peak, were attacked 800-1300 times per hour.

New:

SQL injection or SQLi is a code injection technique that exploits a security vulnerability in some computer software. An injection occurs at the database level of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. Using well designed query language interpreters can prevent SQL injections.[citation needed] In the wild, it has been noted that applications experience, on average, 71 SQLi attempts an hour. When under direct attack, some applications occasionally came under aggressive attacks and at their peak, were attacked 800-1300 times per hour.

Syntax in one of the injections[edit]

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't

This input renders the final SQL statement as follows:

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

WAS: a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't'

note the final single quotation mark. The final single quotation mark would combine with the final single quotation mark already provided in "';" and thus make the statement:

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't;

Without it the syntax already provided will finish the statement correctly rather then declaring it 't' = 't.

If that's wrong then change it back and I'm sorry. — Preceding unsigned comment added by Relh (talkcontribs) 19:37, 30 December 2011 (UTC)

If we break prepared statement binding variable[edit]

If we break prepared statement binding variable i think most of the banking software will be under trouble form hackers — Preceding unsigned comment added by Raja.m82 (talkcontribs) 07:46, 8 January 2013 (UTC)

dead url[edit]

Dead url http://www.worldofhacker.com/Article-Description-Complete-Reference-Guide-to-SQLi-How-to-Attack-and-How-to-Prevent-SQL-Injection --Palapa (talk) 12:41, 1 April 2013 (UTC)

First SQL injection attack[edit]

Regarding this addition:

  • In September 1995, Andrew Plato, a technical writer for Microsoft discovered that he could send SQL queries through URL string of an early e-commerce site and directly query the database (SQL Server 6.0). Unaware of what this meant, Plato approached developers who dismissed the issue as irrelevant. [citation needed]

I only see this claim in places where he probably provided the information himself. For example: personal profiles and presentations of conferences.

In google books. In google scholar there is only a self-published paper[4], and it credits Plato for something else.

I couldn't find any independent book or article on SQL injection that bothered mentioning him.

According to 2001 Oracle security handbook: "At the time of this writing, the newest, hottest topic in the database vulnerability arena is known as a SQL Injection." Pages 534 to 537 talk about SQL injection. Plato's experience 6 years ago doesn't seem to be mentioned at all.

Compare to Forristal, who discovered SQL injection in 1998, and gets interviews for it[5] and published an article in 1998 on Phrack Magazine [6] and is identified in several books as the inventor/discoverer/the guy who publicized the attack [7]

It doesn't look like Plato's experience had any repercussion outside of his own personal experience. Other people might have discovered this vulnerability before Forristal in 1998 and kept silent about it. Reliable sources give zero weight to Plato's discovery.

As far as I can tell, Plato's claim is not notable and it's not verified in independent sources. --Enric Naval (talk) 16:33, 27 March 2014 (UTC)