2007-10-15

Database security

Well, let's start with a comix:
http://xkcd.com/327/

For those who hate parsing comixes, I will just summarize that a kid introduced himself to a teacher as an SQL injection , and got his code to database thru spelling and the stupidity of the teachers. In the category of machine-human interaction anecdotes, this is of course no match to the real story of how a guy manually wrote gibberish on an envelope he posted, because he thought these letters (copied from an email) were a real russian font.

But that's not what I wanted to say. What amused me is that the conclusion they come to at the end of the comix is plain wrong. All possible inputs should be supported - not filtered out - to achieve the required security.

I am also amazed by stupidity of some security experts, who recommend people to use stored procedures to achieve just that. As if "not concatenating string inputs into SQL as is" is a hard instruction for coders to follow otherwise.

[C#]
public static string SqlQuote(string s) {
return "'" + s.replace("'", "''") + "'";
}

would definitely do the trick. Don't let them ever scare you.

1 comment:

artyom said...

The problem with security experts that they are paranoid.

I agree that:
1. You should be avare of input, and never relay on it.
2. You should allways use filters in SQL like mysql_real_escape_string(), etc.

However, these "experts" sometime become really annoying:
1. Not use malloc
2. Not use threads
3. Not use printf
4. Do not program.

I agree that using gets() is problem. however, using snprintf() is allways ok.

Instead of making aware of some techiques they forbit them.

BTW: I agree that too many "programmers" are not aware of security issues.