Monday, October 15, 2007

Hacking and Comics

http://xkcd.com/ is a great fun site for geeks. Ok, that is not a very favorable label. Let's call them technological people. Artwork is not great, just stick figures, but sometimes there are some great jokes. You are a techie if you understand all. Dilbert of course is another well known tech comics, and Dilbert seems to focus on wackyness of people instead in recent years.

If you understand this comic: http://xkcd.com/327/, you know about a hacking technique known as SQL Injection!



This is a well known, simple to implement trick used by hackers.

We usually implement a search box by creating a SQL statement out of the search string entered by a user and then carry out the search and display result. One symbol to watch out for is the single quote, and the double dash. Single quote is for closing literals, and double slash is the start of comments. Every SQL programmers know that.

Check out the third box in the comics. The intended query may be
SELECT * FROM STUDENTS WHERE LASTNAME='Robert'
when the user enters "Robert" in the search box. Watch that single quote and double dash used together! The query becomes
SELECT * FROM STUDENTS  WHERE LASTNAME='Robert'; DROP TABLE Students;  --';
Whoa! The evil user sneaked in the DROP TABLE statement which wiped out the data! That double dash ignores the rest of the commands that can generate a syntax error.

Anti-Virus software and firewall do not totally prevent hackers.

What do you suggest to improve this code? (I have several suggestions, stay tuned)

4 comments:

Joseph Mak said...

Ok, I don't really have much readers in my blog, or no one have some good clues.

To counter this hack. You may
1. Convert single quote to 2 single quotes. After all, your code will crash if you search for "McDonald's" as the single quote will upset the SQL statement.
Make that a test case. Watch out for ampersand or anything that upsets SQL statement too. A crash is better than someone inserting a DROP TABLE.

2. Use preparedStatement. This way you ensure no one inserts -- to upset the rest of your query.

3. Use object wrappers like Hibernate or Toplink. But I rather deal with SQL directly to have maximum flexibility.

Alex Mak said...

The comic stick figures ain't dilbert and shows no talent. yikes; a 4 year old draws better than that.

preparedStatement as in JDBC?

I have not had to deal with databases for about 7 years; I had been a DBA (for about 2 years) and I will never want to be a DBA ever again.

Joseph Mak said...

yes, google preparedstatement and java. Basically a "?" is to be substituted with real values.

Anonymous said...

I'm in a love-hate relationship with virtual memory because of how prices are always falling. I absolutely hate buying SDs for my R4 / R4i at (what seems to be) a crazy bargain price only to see it become 10% cheaper a couple of months later.

(Posted by Net3 for R4i Nintendo DS.)