According to the Web Hacking Incidents Database 2007 Annual Report, SQL Injection is still the most common attack vector for security breaches on websites. Consider the following cartoon:
Why is it that our websites almost universally use a data access language whose statements can be completely subverted by the parameters fed into the queries? The problem is that web applications compose queries out of text strings concatenated with the input fed in by the client. The result is a SQL query that is sent, as a text string, to the SQL server and executed. Any input from the client that constitutes valid SQL fragment will be incorporated into the query, and can be used to wreak havoc with the database just like little Bobby Tables just did.
The main line of defense against this attack is to validate anything the client sends to a web application, and to strip out any SQL fragments that may be in there. This is of course an arms race: any validation attempt is met with new attempt to defeat the validation, ad infinitum. What we need is a new paradigm for querying databases from web applications: query parameters should never be treated as part of the query definition, but become opaque entities that are passed to the database engine as-is. The result of the above should be noting else than Bobby bringing home a report card that says “Robert'); DROP TABLE Students;--” across the top.
Oh, and what business has the web application dropping tables anyway? Why does its user have that privilege?
Pingback: Joshua