Talk:SQL injection

From Wikipedia, the free encyclopedia

 This article is within the scope of WikiProject Databases.
Start rated as Start-Class on the assessment scale
Low rated as Low-importance on the assessment scale

Contents

[edit] problem with quote

<quote> Sometimes vulnerabilities can exist within the database server software itself, as was the case with the MySQL server's real_escape_chars() functions recently. </quote> This lacks a source, a date, and the version(s) of MySQL effected. I assume it is in reference to CVE-2006-2753, MySQL Bug#8378 (See: http://dev.mysql.com/doc/refman/5.0/en/news-5-0-22.html), but this is a flaw in a database server, not SQL injection. Anyone else believe it should be deleted? —Preceding unsigned comment added by 203.206.98.80 (talkcontribs) 05:37, 6 August 2006

Agree that it should be deleted or expanded

Well, I think the point is that even by follow the best practices against SQL Injection, the escaping functions can still allow it if they have loopholes. So SQL injection is not always the fault of the developer - it can be the fault of the server software too. Also, why in the world is the citation marked "citation needed"????

My 2 cents 76.252.28.95 (talk) —Preceding comment was added at 03:35, 13 January 2008 (UTC)

[edit] "incorrectly filtered for string literal escape characters"

As is incorrect because there is no filtering of escape characters or filtered but not very well? Might be just the way I read this line.

[edit] MS SQL and quoting

The statement "On MS SQL Server any valid SQL command may be injected via this method, including the execution of multiple statements" is quite incorrect, at least no more correct than the other languages listed. In most languages you can glue your sql text together and have problems or do the things the right way. In mssql the right way is like

command.commandtext="select * from animals where animal='@animal'"

command.parameters.add(new sqlparameter("@animal", "dog")))

[edit] Whitelisting

"For instance, if you wanted to defend against this attack, you could verify the userid variable to ensure its contents were numeric like so: if(!ctype_digit($userid)){ die("Invalid characters in userid."); }"

The problem is that in this example, we check the type of data in one the host language, i.e. in a language other than SQL. The host language could have notations (e.g. hexadecimal, scientific notation...) in which one could write strings which would pass the numericity test in this language, but would not be numeric in SQL. Apokrif 21:47, 5 September 2007 (UTC)

But in his example he uses ctype_digit which checks if the string consists of digits as oppose to is numerical —Preceding unsigned comment added by 130.88.174.217 (talk) 19:35, 19 January 2008 (UTC)

[edit] Link farm

Yes, I removed a ton of links. No, the number of links removed does not entitle you to automatically revert this edit. I did this in accordance with the wikipedia policies, which were being disregarded here. First, the most obvious: "Wikipedia is not a directory" per WP:NOT. Secondly, most of these links blatantly disrespect the guidelines on what the purpose of external links is, per WP:EXT. Links should be informational. They serve to improve an encyclopedia article by providing information about a topic. Linking to something that merely concerns the same topic in some way is not the same as linking to something that gives a person information about the topic. Wikipedia is not one stop shopping for programming tutorials, guides, and hacking tools. The essay lamenting the fact that is threat is too largely ignored, and the general "what is SQL injection?" link, seem to be fairly good candidates for inclusion. But all the other programmer's guides, as well as the links that seem to be "how to hack a site", need to go and stay gone TheBilly (talk) 01:40, 19 December 2007 (UTC)

[edit] Name

An important thing to research is the history behind SQL Injection. I get what it's name means logically, but who named it such? When were people first aware of this problem etc.? Have there been any big "worms" or "mass-hackings" using this vulnerability.

My Two cents. Gigitrix (talk) 13:12, 5 January 2008 (UTC)

[edit] Microsoft UK site hacked

The source, which is not of notable reliability, cites another equally unreliable source, who merely SPECULATES that it may have been an SQL injection attack. I think this should be removed.

Straussian (talk) 01:59, 12 January 2008 (UTC)

[edit] the IIS6 open source non-commercial tool link

About this link that me and others have removed several times, and keeps getting re-added [1]. I see no point under Wikipedia:External_links#What_should_be_linked that fits this website that you keep linking. However, a bit lower on the same page, on point 13 of "links that should be avoided" we can read Sites that are only indirectly related to the article's subject: the link should be directly related to the subject of the article. This is an article on SQL injection on general, and your link is a product to stop SQL injection on a certain web server. But this is only one of the reasons for deleting the link. Let's see: it has no encyclopaedic content, it doesn't add anything to the article subject, it promotes a website or product, etc. Also, it has been already reverted by several editors, and you are the only one that thinks that it should stay on the article. For all of this, I ask you to stop adding the link. --Enric Naval (talk) 16:21, 22 March 2008 (UTC)

Reply:
The text is full of references to PHP and Java which is just indirectly related to SQL Injection. However, Internet Information Server is a mainstream Internet Server and a link to an open source tool to clean up SQL Injection for any language (Java, PHP, ASP, ASP.NET, etc) with commented source code seems to be in order and very helpful for SQL Injection professionals and victims. I see relevance and I ask you to stop taking off the link. —Preceding unsigned comment added by 71.170.145.248 (talk) 16:44, 22 March 2008 (UTC)
Wikipedia:NOT#Wikipedia_is_not_a_directory. wikipedia is not a list of resources. You should have noticed that we haven't linked to any product for Java or PHP sql injection. Also, I just linked to a pair of pdfs with detailed instructions for SQL injection attacks on IISSQL server. Can you explain how the comments on the code of your program are better than those pdfs? --Enric Naval (talk) 17:07, 22 March 2008 (UTC)

P.D.:Also, I claim it a link not relevant to the article topic, and I call upon WP:SPAM for being a promotion of a product not relevant to the article's topic and repeatedly re-adding the link and for adding it at the top of the list and not at the bottom, and WP:COI because you seem to be involved personally with this product. Can you point a reason that we should link this product and not link all the other sql-injection-related tools that exist on the world?

(If you are really related to the project, you should update your description with the reasons for not working on ISS 5 because of this comment [2]) --Enric Naval (talk) 17:07, 22 March 2008 (UTC)

Reply: if you find another open source product please let me know. —Preceding unsigned comment added by 71.170.145.248 (talk) 17:35, 22 March 2008 (UTC)

I beg to differ, "being open source" is not a reason for having a link on a wikipedia article, unless you can point me to a specific wikipedia policy that says so. There is recommendations to use open source and free products/informations instead of closed propietary products/informations, but this is not the case since you are not replacing a closed source resource with an open source resource. You are pushing a product, period. --Enric Naval (talk) 17:39, 22 March 2008 (UTC)

[edit] Link to UN SQL Vulnerability

I'm worried about the link to the article about the United Nations page being hacked (Under Real-world examples), because the vulnerability is still there. Though they obviously should have fixed it already, we don't need to encourage people to do more damage. If no one objects, I'll remove the link. Zedlander (talk) 02:08, 26 March 2008 (UTC)

As for the legal responsabilities, the vulnerabilty is already public, we are just linking to a site specialized on hacking that provides an information that is already know to the public. UN web admins have had months to path the vulnerability and have not done it for whatever the reason. I also object to the removal per WP:CENSORED wikipedia is not censored --Enric Naval (talk) 11:40, 26 March 2008 (UTC)