Veracode Senior Security Researcher Ryan O'Boyle discusses SQL Injection attacks and what can be done to avoid them.

About Neil DuPaul

Neil manages the blog pipeline at Veracode, often by fending off eager contributors with a stick. He manages much of the Veracode web presence while also motivating the more introspective Veracoders to be social. Lover of sports and outdoors, and a SERP enthusiast, hit him up on Twitter here.

Comments (3)

bsdwiz | August 3, 2012 12:41 am

hmm, he says sql injection can be prevented by multiple ways.. then goes on to say it can be prevented by prepared statements and also input validation. of course developers should be doing "input validation" but do we really want developers to try and build white lists to prevent sqli? i think not! there is only one sure way to prevent sqli and thats bound parameters.

CEng | August 3, 2012 10:47 am

@bsdwiz: Sometimes you can't always bind parameters. For example if you are taking a user-provided value and passing it into an ORDER BY or a LIMIT or even a table name. In that case, a whitelist should be used to ensure the parameter is numeric or matches a value in a predefined list. I think queries like these should be refactored entirely, but developers often don't want to do that.

Dave H | August 21, 2012 8:20 am

You have to use a combination of techniques, anything can be defeated if you work at it hard enough. The idea behind defeating sqli isn't that it isn't hack proof although that is what "we" as developers hope for, rather that we make it expensive enough in time and resources that the potential hacker goes elsewhere or is caught in the attempt.

I see alot of comments about developers on many sites, the thing I will say is this, yes - some developers have bad coding habits. However; often times it is not the developer, rather real world issues around scheduling, and resources which cause the most impact. The developer would love to refactor the queries unfortunately as much we hop up and down about sqli the business will often ignore warnings until the bottom line is impacted. Until the dynamic of what can be safely ignored in order to make the most is changed this will always leave a road open for the would be hacker.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.