SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query...
-
Upload
truongdung -
Category
Documents
-
view
225 -
download
1
Transcript of SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query...
![Page 1: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/1.jpg)
SQL InjectionMyths and Fallacies
Bill Karwin, Percona Inc.
![Page 2: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/2.jpg)
www.percona.com
MeSoftware developerC, Java, Perl, PHP, RubySQL mavenMySQL Consultant at PerconaAuthor of SQL Antipatterns:
Avoiding the Pitfalls of Database Programming
![Page 3: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/3.jpg)
www.percona.com
What is SQL Injection?
SELECT * FROM Bugs WHERE bug_id = $_GET['bugid']
user input
![Page 4: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/4.jpg)
www.percona.com
What is SQL Injection?
SELECT * FROM Bugs WHERE bug_id = 1234 OR TRUE
unintended logic
![Page 5: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/5.jpg)
www.percona.com
Worse SQL Injection
UPDATE Accounts SET password = SHA2('$password')WHERE account_id = $account_id
![Page 6: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/6.jpg)
www.percona.com
Worse SQL Injection
UPDATE Accounts SET password = SHA2('xyzzy'), admin=('1')WHERE account_id = 1234 OR TRUE
changes password for all accounts
changes account to administrator
![Page 7: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/7.jpg)
www.percona.com
Myths and Fallacies
Based on a grain of truth, but derives a wrong conclusion
Based on a false assumption, but derives a logical conclusion
MYTH
FALLACY
![Page 8: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/8.jpg)
www.percona.com
Myth
“SQL Injection is an old problem―so I don’t have to
worry about it.”
MYTH
![Page 9: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/9.jpg)
www.percona.com
Identity Theft
130 million credit card numbers Albert Gonzalez used SQL
Injection to install his packet-sniffer code onto credit-card servers
Sentenced 20 years in March 2010 Cost to victim company Heartland
Payment Systems: $12.6 millionhttp://www.miamiherald.com/2009/08/22/1198469/from-snitch-to-cyberthief-of-the.html
http://www.cio.com/article/492039/Security_Breach_Cost_Heartland_12.6_Million_So_Far
![Page 10: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/10.jpg)
www.percona.com
Other Recent Cases
(April 2011) Sun.com and MySQL.com attacked by blind SQL Injection attack, revealing portions of the site’s databases, including usernames and passwords.
http://techie-buzz.com/tech-news/mysql-com-database-compromised-sql-injection.html
http://seclists.org/fulldisclosure/2011/Mar/309
http://tinkode27.baywords.com/
(April 2011) LizaMoon scareware campaign infected hundreds of thousands of websites via SQL Injection.
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=229400764
![Page 11: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/11.jpg)
www.percona.com
2009 Data Breach Investigations Report, Verizon Business RISK Team
“When hackers are required to work to gain access, SQL injection appears to be the uncontested technique of choice. In 2008, this type of attack ranked second in prevalence (utilized in 16 breaches) and first in the amount of records compromised (79 percent of the aggregate 285 million).”
http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Experts Agree
![Page 12: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/12.jpg)
www.percona.com
Myth
“Escaping input prevents SQL injection.”
MYTH
![Page 13: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/13.jpg)
www.percona.com
Escaping & Filtering
UPDATE Accounts SET password = SHA2('xyzzy\'), admin=(\'1')WHERE account_id = 1234
coerced to integer
backslash escapes special characters
![Page 14: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/14.jpg)
www.percona.com
Escaping & Filtering Functions<?php$password = $_POST["password"];
$password_escaped = mysql_real_escape_string($password);
$id = (int) $_POST["account"];$sql = "UPDATE Accounts
SET password = SHA2(‘{$password_escaped}’) WHERE account_id = {$id}";
mysql_query($sql);
![Page 15: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/15.jpg)
www.percona.com
Escaping & Filtering Functions<?php$password = $_POST["password"];
$password_quoted = $pdo->quote($password);$id = filter_input(INPUT_POST, "account",
FILTER_SANITIZE_NUMBER_INT);$sql = "UPDATE Accounts
SET password = SHA2( {$password_quoted} ) WHERE account_id = {$id}";
$pdo->query($sql);
![Page 16: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/16.jpg)
www.percona.com
Identifiers and Keywords<?php$column = $_GET["order"];
$column_delimited = $pdo->FUNCTION?($column);$direction = $_GET["dir"];$sql = "SELECT * FROM Bugs
ORDER BY {$column_delimited} {$direction}";$pdo->query($sql);
no API to support delimited identifiers
keywords get no quoting
![Page 17: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/17.jpg)
www.percona.com
Myth
“If some escaping is good, more must be better.”
MYTH
![Page 18: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/18.jpg)
www.percona.com
Overkill?<?phpfunction sanitize($string){
$string = strip_tags($string); $string = htmlspecialchars($string); $string = trim(rtrim(ltrim($string))); $string = mysql_real_escape_string($string); return $string;}
$password = sanitize( $_POST["password"] );mysql_query("UPDATE Users
SET password = '$password' WHERE user_id = $user_id");
real function from a user’s project
![Page 19: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/19.jpg)
www.percona.com
“FIRE EVERYTHING!!”
![Page 20: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/20.jpg)
www.percona.com
Just the One Will Do
<?php$password = mysql_real_escape_string(
$_POST["password"] );mysql_query("UPDATE Users
SET password = '$password' WHERE user_id = $user_id");
![Page 21: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/21.jpg)
www.percona.com
Myth
“I can write my own escaping function.”
MYTH
![Page 22: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/22.jpg)
www.percona.com
Please Don’t
addslashes() isn’t good enough in a multibyte worldExample:
http://example.org/login.php?account=%bf%27 OR 1=1 --$account = addslashes($_REQUEST(“account”));Function sees a single-quote (%27) and inserts
backslash (%5c). Result: %bf%5c%27 OR 1=1 --
valid multi-byte character in GBK: 縗
single-quote
![Page 23: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/23.jpg)
www.percona.com
Grant Access to Any Account
Interpolating:SELECT * FROM Accounts WHERE
account = '{$account}' AND password = '{$password}'
Results in:SELECT * FROM Accounts WHERE
account = '縗' OR 1=1 -- ' AND password = 'guess'
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
http://bugs.mysql.com/bug.php?id=8378
![Page 24: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/24.jpg)
www.percona.com
Solutions
Use driver-provided escaping functions:mysql_real_escape_string()mysqli::real_escape_string()PDO::quote()
Use API functions to set the client character set:mysql_set_charset()mysqli::set_charset()http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
Use UTF-8 instead of GBK, SJIS, etc.Use SQL query parameters (more on this later)
![Page 25: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/25.jpg)
www.percona.com
Myth
“Unsafe data comes from users―if it’s already in the database, then it’s safe.”
MYTH
![Page 26: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/26.jpg)
www.percona.com
Not Necessarily
$sql = "SELECT product_name FROM Products";$prodname = $pdo->query($sql)->fetchColumn();
$sql = "SELECT * FROM Bugs WHERE MATCH(summary, description) AGAINST ('{$prodname}')";
not safe input
![Page 27: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/27.jpg)
www.percona.com
Fallacy
“Using stored procedures prevents SQL Injection.”
FALLACY
![Page 28: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/28.jpg)
www.percona.com
Static SQL in Procedures
CREATE PROCEDURE FindBugById (IN bugid INT)BEGIN SELECT * FROM Bugs WHERE bug_id = bugid;END
CALL FindByBugId(1234)
filtering by data type is a good thing
![Page 29: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/29.jpg)
www.percona.com
Dynamic SQL in Procedures
CREATE PROCEDURE BugsOrderBy (IN column_name VARCHAR(100), IN direction VARCHAR(4))BEGIN SET @query = CONCAT( 'SELECT * FROM Bugs ORDER BY ', column_name, ' ', direction); PREPARE stmt FROM @query; EXECUTE stmt;END
CALL BugsOrderBy('date_reported', 'DESC')
interpolating arbitrary strings = SQL injection
![Page 30: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/30.jpg)
www.percona.com
Worthy of TheDailyWTF
CREATE PROCEDURE QueryAnyTable (IN table_name VARCHAR(100))BEGIN SET @query = CONCAT( 'SELECT * FROM ', table_name); PREPARE stmt FROM @query; EXECUTE stmt;END
CALL QueryAnyTable( '(SELECT * FROM ...)' )http://thedailywtf.com/Articles/For-the-Ease-of-Maintenance.aspx
![Page 31: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/31.jpg)
www.percona.com
Myth
“Conservative SQL privileges limit the
damage.”
MYTH
![Page 32: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/32.jpg)
www.percona.com
Denial of Service
SELECT * FROM Bugs JOIN Bugs JOIN Bugs JOIN Bugs JOIN Bugs JOIN Bugs
100 bugs = 1 trillion rows
![Page 33: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/33.jpg)
www.percona.com
Denial of Service
SELECT * FROM Bugs JOIN Bugs JOIN Bugs JOIN Bugs JOIN Bugs JOIN Bugs ORDER BY 1
still requires only SELECT privilege
![Page 34: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/34.jpg)
www.percona.com
Just Asking for It
http://www.example.com/show.php? query=SELECT%20*%20FROM%20Bugs
![Page 35: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/35.jpg)
www.percona.com
Fallacy
“It’s just an intranet application―it doesn’t
need to be secure.”
FALLACY
![Page 36: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/36.jpg)
www.percona.com
Just Ask This Manager
![Page 37: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/37.jpg)
www.percona.com
What Stays on the Intranet?
You could be told to give business partners access to an internal application
UPDATE Accounts SET password = SHA2('$password')WHERE account_id = $account_id
![Page 38: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/38.jpg)
www.percona.com
What Stays on the Intranet?
Your casual code could be copied & pasted into external applications
UPDATE Accounts SET password = SHA2('$password')WHERE account_id = $account_id
UPDATE Accounts SET password = SHA2('$password')WHERE account_id = $account_id
![Page 39: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/39.jpg)
www.percona.com
What Stays on the Intranet?
It’s hard to argue for a security review or rewrite for a “finished” application
$$$UPDATE Accounts SET password = SHA2('$password')WHERE account_id = $account_id
?
![Page 40: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/40.jpg)
www.percona.com
Myth
“My framework prevents SQL Injection.”
MYTH
![Page 41: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/41.jpg)
www.percona.com
ORMs Allow Custom SQL
Dynamic SQL always risks SQL Injection, for example Rails ActiveRecord:Bugs.all(
:joins => "JOIN Accounts ON reported_by = account_id",
:order => "date_reported DESC")
any custom SQL can carry SQL injection
![Page 42: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/42.jpg)
www.percona.com
Whose Responsibility?
Security is the application developer’s job
No database, connector, or framework can prevent SQL injection all the time
![Page 43: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/43.jpg)
www.percona.com
Fallacy
“Query parameters do quoting for you.”
FALLACY
![Page 44: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/44.jpg)
www.percona.com
Interpolating Dynamic Values
Query needs a dynamic value:
SELECT * FROM Bugs WHERE bug_id = $_GET['bugid']
user input
![Page 45: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/45.jpg)
www.percona.com
Using a Parameter
Query parameter takes the place of a dynamic value:
SELECT * FROM Bugs WHERE bug_id = ?
parameter placeholder
![Page 46: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/46.jpg)
www.percona.com
How the Database Parses It
query
SELECT
FROM
WHERE
expr-list *
simple-table
expr
bugs
parameterplaceholder
?
bug_id
=equality
![Page 47: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/47.jpg)
www.percona.com
How the Database Executes It
query
SELECT
FROM
WHERE
expr-list *
simple-table
expr
bugs
1234
bug_id
=
parametervalue
equality
![Page 48: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/48.jpg)
www.percona.com
Interpolation
query
SELECT
FROM
WHERE
expr-list *
simple-table
expr
1234
bugs
bug_id
=
TRUE
OR
SQL injection
equality
![Page 49: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/49.jpg)
www.percona.com
Parameterization
query
SELECT
FROM
WHERE
expr-list *
simple-table
expr
bugs
1234 OR TRUE
bug_id
=
no parametercan change the tree
equality
![Page 50: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/50.jpg)
www.percona.com
Sequence of Prepare & ExecuteClient Server
parse query
send parameters
send SQL
optimize query
execute queryreturn results
prepare query
execute query
repeat with different parameters
bind parameters
convert to machine-readable form
![Page 51: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/51.jpg)
www.percona.com
Myth
“Query parameters prevent SQL Injection.”
MYTH
![Page 52: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/52.jpg)
www.percona.com
One Parameter = One Value
SELECT * FROM Bugs WHERE bug_id = ?
![Page 53: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/53.jpg)
www.percona.com
Not a List of Values
SELECT * FROM Bugs WHERE bug_id IN ( ? )
![Page 54: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/54.jpg)
www.percona.com
Not a Table Name
SELECT * FROM ? WHERE bug_id = 1234
![Page 55: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/55.jpg)
www.percona.com
Not a Column Name
SELECT * FROM Bugs ORDER BY ?
![Page 56: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/56.jpg)
www.percona.com
Not an SQL Keyword
SELECT * FROM Bugs ORDER BY date_reported ?
![Page 57: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/57.jpg)
www.percona.com
Interpolation vs. ParametersScenario Example Value Interpolation Parameter
single value ‘1234’ SELECT * FROM Bugs WHERE bug_id = $id
SELECT * FROM Bugs WHERE bug_id = ?
multiple values
‘1234, 3456, 5678’ SELECT * FROM Bugs WHERE bug_id IN ($list)
SELECT * FROM Bugs WHERE bug_id IN ( ?, ?, ? )
table name ‘Bugs’ SELECT * FROM $table WHERE bug_id = 1234
NO
column name ‘date_reported’ SELECT * FROM Bugs ORDER BY $column
NO
other syntax ‘DESC’ SELECT * FROM Bugs ORDER BY date_reported $direction
NO
![Page 58: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/58.jpg)
www.percona.com
Solution
Whitelist Maps
SOLUTION
![Page 59: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/59.jpg)
www.percona.com
Example SQL Injection
http://www.example.com/?order=date_reported&dir=ASC
<?php$sortorder = $_GET["order"];
$direction = $_GET["dir"];$sql = "SELECT * FROM Bugs
ORDER BY {$sortorder} {$direction}";$stmt = $pdo->query($sql);
unsafe inputs
SQL Injection
![Page 60: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/60.jpg)
www.percona.com
Fix with a Whitelist Map
<?php$sortorders = array( "DEFAULT" => "bug_id",
"status" => "status", "date" => "date_reported" );
$directions = array( "DEFAULT" => "ASC", "up" => "ASC", "down" => "DESC" );
application request values
SQL identifiers and keywords
![Page 61: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/61.jpg)
www.percona.com
Map User Input to Safe SQL
<?php
if (isset( $sortorders[ $_GET["order"] ])){ $sortorder = $sortorders[ $_GET["order"] ];} else { $sortorder = $sortorders["DEFAULT"];}
![Page 62: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/62.jpg)
www.percona.com
Map User Input to Safe SQL
<?php$direction = $directions[ $_GET["dir"] ] ?:
$directions["DEFAULT"];
PHP 5.3 syntax
![Page 63: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/63.jpg)
www.percona.com
Interpolate Safe SQL
http://www.example.com/?order=date&dir=up
<?php$sql = "SELECT * FROM Bugs
ORDER BY {$sortorder} {$direction}";$stmt = $pdo->query($sql);
whitelisted values
![Page 64: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/64.jpg)
www.percona.com
Benefits of Whitelist Maps
•Protects against SQL injection in cases where escaping and parameterization doesn’t help.
•Decouples web interface from database schema.
•Uses simple, declarative technique.
•Works independently of any framework.
![Page 65: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/65.jpg)
www.percona.com
Fallacy
“Queries parameters hurt SQL performance.”
FALLACY
![Page 66: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/66.jpg)
www.percona.com
Simple Query
0
0.001
0.002
0.003
0.004
MySQLMySQLi
MySQLi PrepPDO
PDO Prep
Profiled Elapsed
![Page 67: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/67.jpg)
www.percona.com
Complex Query
0
0.39
0.78
1.17
1.56
MySQLMySQLi
MySQLi PrepPDO
PDO Prep
Profiled Elapsed
![Page 68: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/68.jpg)
www.percona.com
Myth
“A proxy/firewall solution prevents SQL injection.”
MYTH
![Page 69: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/69.jpg)
www.percona.com
Oracle Database Firewall
Reverse proxy between application and Oracle•Whitelist of known SQL queries• Learns legitimate queries from application traffic• Blocks unknown SQL queries • Also supports Microsoft SQL Server, IBM DB2,
Sybase ASE, SQL Anywherehttp://www.oracle.com/technetwork/database/database-firewall/overview/index.html
![Page 70: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/70.jpg)
www.percona.com
GreenSQL
Reverse proxy for MySQL, PostgreSQL, Microsoft SQL Server
Detects / reports / blocks “suspicious” queries:• Access to sensitive tables• Comments inside SQL commands• Empty password• An ‘or’ token inside a query• An SQL expression that always returns true
http://www.greensql.net/about
![Page 71: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/71.jpg)
www.percona.com
Still not Perfect
Vipin Samar, Oracle vice president of Database Security:“Database Firewall is a good first layer of defense for
databases but it won't protect you from everything,” http://www.databasejournal.com/features/oracle/article.php/3924691/article.htm
GreenSQL Architecture“GreenSQL can sometimes generate false positive
and false negative errors. As a result, some legal queries may be blocked or the GreenSQL system may pass through an illegal query undetected.”
http://www.greensql.net/about
![Page 72: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/72.jpg)
www.percona.com
Limitations of Proxy Solutions
• False sense of security; discourages code review •Gating factor for emergency code deployment•Constrains application from writing dynamic SQL•Doesn’t stop SQL injection in Stored Procedures
![Page 73: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/73.jpg)
www.percona.com
Fallacy
“NoSQL databases are immune to SQL injection.”
FALLACY
![Page 74: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/74.jpg)
www.percona.com
“NoSQL Injection”
http://www.example.com?column=password
<?php$map = new MongoCode("function() {
emit(this." . $_GET["column"] . ",1); } ");
$data = $db->command( array( "mapreduce" => "Users", "map" => $map) );
any string-interpolation of untrusted contentis Code Injection
![Page 75: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/75.jpg)
www.percona.com
NoSQL Injection in the Wild
Diaspora wrote MongoDB map/reduce functions dynamically from Ruby on Rails:def self.search(query)
Person.all('$where' => "function() { return this.diaspora_handle.match(/^#{query}/i) || this.profile.first_name.match(/^#{query}/i) || this.profile.last_name.match(/^#{query}/i); }")end
http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/
did query come from a trusted source?
![Page 76: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/76.jpg)
www.percona.com
Myths and Fallacies
I don’t have to worry anymore
Escaping is the fix
More escaping is better
I can code an escaping function
Only user input is unsafe
Stored procs are the fix
SQL privileges are the fix
My app doesn’t need security
Frameworks are the fix
Parameters quote for you
Parameters are the fix
Parameters make queries slow
SQL proxies are the fix
NoSQL databases are the fix
there is no single silver bullet—use all defenses when appropriate
![Page 77: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/77.jpg)
www.percona.com
SQL Antipatterns
http://www.pragprog.com/titles/bksqla/
![Page 78: SQL Injection Myths and Fallacies - Percona · PDF filetechnique of choice. ... parse query send parameters send SQL optimize query ... •Also supports Microsoft SQL Server, IBM DB2,](https://reader034.fdocuments.in/reader034/viewer/2022051721/5a7981d77f8b9a260e8d7fe0/html5/thumbnails/78.jpg)
www.percona.com
Copyright 2012 Bill Karwinwww.slideshare.net/billkarwin
Released under a Creative Commons 3.0 License: http://creativecommons.org/licenses/by-nc-nd/3.0/
You are free to share - to copy, distribute and transmit this work, under the following conditions:
Attribution. You must attribute this work to Bill Karwin.
Noncommercial. You may not use this work for commercial purposes.
No Derivative Works. You may not alter, transform, or build
upon this work.