Editorials

Is SQL Injection Still a Worry?

by Ben Taylor

SSWUGtv – Are Interns for You?
With Stephen Wynkoop
In today?s economy, many companies are investing in interns. This is a cost-effective way to temporarily solve their resource needs as well as get in an early bid on the upcoming talent. But what type of tasks and preparation is needed?
Watch the Show

Is SQL Injection Still an Issue?
As I continue to work with newly graduated software developers I am finding different levels of skills when it comes to utilizing a relational database. Some know the very basics of the SQL syntax in favor of ORM generators; others have more skill, and write SQL statements on their own.

What I haven’t really looked into is their understanding of what SQL Injection is, and how to protect against it. So, I thought I would throw out the topic today to our readers at large. My intention is not to train as much as to get some idea regarding the potential of the problem.

For those of you who are unsure, SQL Injection is most easily accomplished when you build your own SQL statements from scratch, concatenating an SQL command with input from a user. It would be something like

SELECT …
FROM SOMETABLE
WHERE LASTNAME = ‘TAYLOR’

The value ‘TAYLOR’ is taken from a user input.

If the user has enough characters in the input field where they type TAYLOR then they can instead add additional SQL Statements which will be executed in the database.

You can search Google for any number of techniques for protecting against SQL Injection if you are unsure how to securly access an SQL database.

So, is SQL Injection still a worry in modern software development? Have you seen code allowing SQL Injection recently? If so, was it new or legacy code? Share your observations by dropping an Email to btaylor@sswug.org.

Cheers,

Ben

$$SWYNK$$

Featured Article(s)
SQL Server: Purging msdb History Tables to Control msdb Database Growth
msdb is a system database that supports SQL Server Agent service, and stores all the information and history about job scheduling, job history, backup and restores, service broker, database mail and other maintenance activity. It is very important to regularly purge the following msdb history tables, because without regular maintenance, these system tables can grow to very large sizes, which results in unexpected growth of msdb database and slow performance during backup and restores and database mail operations. In this article, I’ll discuss how we can purge msdb history tables.

Featured White Paper(s)
Achieve an astounding return on investment with Toad® for Oracle
read more)

Tags:
Author: Ben TaylorBen is a Relational Database veteran starting in the early eighties on DEC Vax database systems such as Bloom and Harvest. He has specialized in SQL engines for more than two decades, with a primary focus on Microsoft SQL Server. Ben has worked with small and large databases for both OLAP and OLTP working on systems for many industries such as Medical (Medical Claims and Eligibility Warehouse, HMO Provider Management, Enrollment), Financial (credit card processing, mortgage, stock portfolio management), Manufacturing (Assembly Line and Product Assemblies), Sales, Auto Auctions and more.