I just thought I’d pass on this story…
One of my friends has been running an Internet business for many years. It started as an ASP website against an Access database. At the time Access didn’t support bind variables, so all the SQL was written using literals concatenated into the SQL. This didn’t present much of a problem as nobody ever talked about SQL injection in those days…
Over time, the site progressed and moved over to SQL Server. Unfortunately, none of the code was revised to use bind variables, still leaving it wide open to SQL injection attacks.
I got a mail from my friend this morning telling me his hosting provider has turned off his site because it’s getting battered by hackers. I guess the only thing I can say is he’s been lucky for the last 10 years. I could have happened any time during this period…
This post isn’t a criticism of the security of any particular database engine, scripting language, application server or browser. It’s merely an observation that there are still plenty of public websites out there that have gaping SQL injection holes in them, not due to the underlying technology, but due to sloppy programming.
It’s easy to get caught up in the security ratings of our infrastructure and forget that one dodgy SQL statement can give people the key to the door.
Let the paranoia commence… 🙂
Cheers
Tim…
I know exactly what you are saying. I have spent a great deal of time over the past two months troubleshooting the exact type of attack you are referring to (almost to the letter). ASP pages, literals, and a ton of various sql injection attacks. It was fun to investigate as you rarely get to do such a thing in a real-world scenario. Frustrating for me, as very few of my database recommendations were implemented.
Hi Tim,
Did you see this? Automated SQL Server attack bots hacked over 100,000 SQL Server web sites:
http://www.dba-oracle.com/oracle_news/news_sql_server_injection_attacks.htm
You can lead a horse to water, but you can’t make it drink… Unless you are very strong and have a hose pipe and funnel hand. 🙂
Cheers
Tim…
Don,
Thanks for that article. Wish I would have read that a month ago. It sounds exactly like what we were seeing.
There was also a nice write up on F-Secure’s website a couple of months ago:
http://www.f-secure.com/weblog/archives/00001427.html
Cheers,
Rob
Hi there, I am in the same boat now. Old Access DB was upgraded to SQL but the code was kept the same (as it worked!)
Has just been hit by an SQL Injection pumping javascript into the fields of the database.
Does this mean, however that MS Access datbases with the same code are OK and cannot be attacked in the same way?
Is it just an SQL thing?
Hi.
No. Depending on the attack mechanism, the access database was just as vulnerable, as is any other SQL database where the application doesn’t use bind variables.
I guess the difference now is SQL Injection has gone from a possible issue, to one that is actively being exploited by bots.
Cheers
Tim…