If you understand this comic: http://xkcd.com/327/, you know about a hacking technique known as SQL Injection!
This is a well known, simple to implement trick used by hackers.
We usually implement a search box by creating a SQL statement out of the search string entered by a user and then carry out the search and display result. One symbol to watch out for is the single quote, and the double dash. Single quote is for closing literals, and double slash is the start of comments. Every SQL programmers know that.
Check out the third box in the comics. The intended query may be
SELECT * FROM STUDENTS WHERE LASTNAME='Robert'when the user enters "Robert" in the search box. Watch that single quote and double dash used together! The query becomes
SELECT * FROM STUDENTS WHERE LASTNAME='Robert'; DROP TABLE Students; --';Whoa! The evil user sneaked in the DROP TABLE statement which wiped out the data! That double dash ignores the rest of the commands that can generate a syntax error.
Anti-Virus software and firewall do not totally prevent hackers.
What do you suggest to improve this code? (I have several suggestions, stay tuned)
4 comments:
Ok, I don't really have much readers in my blog, or no one have some good clues.
To counter this hack. You may
1. Convert single quote to 2 single quotes. After all, your code will crash if you search for "McDonald's" as the single quote will upset the SQL statement.
Make that a test case. Watch out for ampersand or anything that upsets SQL statement too. A crash is better than someone inserting a DROP TABLE.
2. Use preparedStatement. This way you ensure no one inserts -- to upset the rest of your query.
3. Use object wrappers like Hibernate or Toplink. But I rather deal with SQL directly to have maximum flexibility.
The comic stick figures ain't dilbert and shows no talent. yikes; a 4 year old draws better than that.
preparedStatement as in JDBC?
I have not had to deal with databases for about 7 years; I had been a DBA (for about 2 years) and I will never want to be a DBA ever again.
yes, google preparedstatement and java. Basically a "?" is to be substituted with real values.
I'm in a love-hate relationship with virtual memory because of how prices are always falling. I absolutely hate buying SDs for my R4 / R4i at (what seems to be) a crazy bargain price only to see it become 10% cheaper a couple of months later.
(Posted by Net3 for R4i Nintendo DS.)
Post a Comment