sql injection myths and fallacies - percona · linkedin.com •june 4, 2012. •russian hackers...
TRANSCRIPT
![Page 1: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/1.jpg)
SQL InjectionMyths and Fallacies
Bill Karwin, Percona Inc.
![Page 2: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/2.jpg)
www.percona.com
Me•Software developer•C, Java, Perl, PHP, Ruby•SQL maven•Percona Consultant and Trainer•Author of SQL Antipatterns:
Avoiding the Pitfalls of Database Programming
![Page 3: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/3.jpg)
www.percona.com
What is SQL Injection?
http://example.com/show.php?bugid=1234
SELECT * FROM Bugs WHERE bug_id = $_GET['bugid']
user input
![Page 4: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/4.jpg)
www.percona.com
What is SQL Injection?
http://example.com/show.php?bugid=1234 OR TRUE
SELECT * FROM Bugs WHERE bug_id = 1234 OR TRUE
unintended logic
![Page 5: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/5.jpg)
www.percona.com
Worse SQL Injection
http://example.com/changepass.php?acctid=1234&pass=xyzzy
UPDATE Accounts SET password = SHA2('$password')WHERE account_id = $account_id
![Page 6: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/6.jpg)
www.percona.com
Worse SQL Injection
http://example.com/changepass.php?acctid=1234 OR TRUE&pass=xyzzy'), admin=('1
UPDATE Accounts SET password = SHA2('xyzzy'), admin=('1')WHERE account_id = 1234 OR TRUE
changes password for all accounts
changes account to administrator
![Page 7: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/7.jpg)
www.percona.com
Myths and Fallacies
Based on a grain of truth, but derives a wrong conclusion
Based on a false assumption, but derives a logical conclusion
MYTH
FALLACY
![Page 8: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/8.jpg)
www.percona.com
Myth
“SQL Injection is an old problem―so I don’t have
to worry about it.”
MYTH
![Page 9: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/9.jpg)
www.percona.com
Identity Theft
• 130 million credit card numbers •Albert Gonzalez used SQL
Injection to install his code onto credit-card servers
•Sentenced 20 years in March 2010 •Cost to victim company Heartland
Payment Systems: $12.6 million• http://www.miamiherald.com/2009/08/22/1198469/from-snitch-to-cyberthief-of-the.html
• http://www.cio.com/article/492039/Security_Breach_Cost_Heartland_12.6_Million_So_Far
![Page 10: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/10.jpg)
www.percona.com
Ruby on Rails 3.x
• June 1, 2012.•Ruby on Rails 3.2.5 releases fix for a critical
SQL injection vulnerability.•Applications using ActiveRecord in Ruby on Rails
3.0 and later were vulnerable.• Fixes released in RoR 3.1.5 and 3.0.13 as well.• http://news.softpedia.com/news/Critical-SQL-Injection-Vulnerability-Fixed-with-Ruby-on-Rails-3-2-5-273202.shtml
![Page 11: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/11.jpg)
www.percona.com
LinkedIn.com
• June 4, 2012.•Russian hackers posted 6.5 million user
credentials acquired from LinkedIn.com.• The means of attack is still unconfirmed, but...•A class action lawsuit against LinkedIn over this
breach alleges that the attackers exploited an SQL injection vulnerability.
• http://www.zdnet.com/blog/identity/linkedin-hit-with-5-million-class-action-suit/548
![Page 12: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/12.jpg)
www.percona.com
Yahoo! Voices
• July 12, 2012.• 453,000 email addresses and passwords leaked.• The perpetrators claimed they exploited
union-based SQL injection.• http://arstechnica.com/security/2012/07/yahoo-service-hacked/
• http://gnahackteam.wordpress.com/2012/06/08/union-based-basic-sql-injection/
![Page 13: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/13.jpg)
www.percona.com
Myth
“Escaping input prevents SQL injection.”
MYTH
![Page 14: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/14.jpg)
www.percona.com
Escaping & Filtering
http://example.com/changepass.php?acctid=1234 OR TRUE&pass=xyzzy'), admin=('1
UPDATE Accounts SET password = SHA2('xyzzy\'), admin=(\'1')WHERE account_id = 1234
coerced to integer
backslash escapes special characters
![Page 15: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/15.jpg)
www.percona.com
Escaping & Filtering Functions<?php$password = $_POST["password"];
$password_escaped = mysql_real_escape_string($password);
$id = (int) $_POST["account"];$sql = "UPDATE Accounts
SET password = SHA2(‘{$password_escaped}’) WHERE account_id = {$id}";
mysql_query($sql);
![Page 16: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/16.jpg)
www.percona.com
Escaping & Filtering Functions<?php$password = $_POST["password"];
$password_quoted = $pdo->quote($password);$id = filter_input(INPUT_POST, "account",
FILTER_SANITIZE_NUMBER_INT);$sql = "UPDATE Accounts
SET password = SHA2( {$password_quoted} ) WHERE account_id = {$id}";
$pdo->query($sql);
![Page 17: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/17.jpg)
www.percona.com
Identifiers and Keywords<?php$column = $_GET["order"];
$column_delimited = $pdo->FUNCTION?($column);$direction = $_GET["dir"];$sql = "SELECT * FROM Bugs
ORDER BY {$column_delimited} {$direction}";$pdo->query($sql);
no API to support delimited identifiers
keywords get no quoting
![Page 18: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/18.jpg)
www.percona.com
Myth
“If some escaping is good, more must be better.”
MYTH
![Page 19: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/19.jpg)
www.percona.com
Overkill?<?phpfunction sanitize($string){
$string = strip_tags($string); $string = htmlspecialchars($string); $string = trim(rtrim(ltrim($string))); $string = mysql_real_escape_string($string); return $string;}
$password = sanitize( $_POST["password"] );mysql_query("UPDATE Users
SET password = '$password' WHERE user_id = $user_id");
real function from a user’s project
![Page 20: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/20.jpg)
www.percona.com
“FIRE EVERYTHING!!”
![Page 21: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/21.jpg)
www.percona.com
Just the One Will Do
<?php$password = mysql_real_escape_string(
$_POST["password"] );mysql_query("UPDATE Users
SET password = '$password' WHERE user_id = $user_id");
![Page 22: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/22.jpg)
www.percona.com
Myth
“I can write my own escaping function.”
MYTH
![Page 23: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/23.jpg)
www.percona.com
Please Don’t
• addslashes() isn’t enough in a multibyte world•Example:• http://example.org/login.php?account=%bf%27 OR 'x'='x• $account = addslashes($_REQUEST(“account”));• Function sees a single-quote (%27) and inserts
backslash (%5c). Result: %bf%5c%27 OR 'x'='x
valid multi-byte character in GBK: 縗
single-quote
![Page 24: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/24.jpg)
www.percona.com
Grant Access to Any Account
• Interpolating:SELECT * FROM Accounts
WHERE account = '{$account}' AND password = '{$passwd}'
• Results in:SELECT * FROM Accounts
WHERE account = '縗' OR 'x'= 'x' AND password = 'xyzzy'
• http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
• http://bugs.mysql.com/bug.php?id=8378
![Page 25: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/25.jpg)
www.percona.com
Solutions
•Use driver-provided escaping functions:• mysql_real_escape_string()• mysqli::real_escape_string()• PDO::quote()
•Use API functions to set the client character set:• mysql_set_charset()• mysqli::set_charset()• http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
•Use UTF-8 instead of GBK, SJIS, etc.
![Page 26: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/26.jpg)
www.percona.com
Myth
“Unsafe data comes from users―if it’s already in the database, then it’s safe.”
MYTH
![Page 27: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/27.jpg)
www.percona.com
Not Necessarily
$sql = "SELECT product_name FROM Products";$prodname = $pdo->query($sql)->fetchColumn();
$sql = "SELECT * FROM Bugs WHERE MATCH(summary, description) AGAINST ('{$prodname}')";
not safe input
![Page 28: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/28.jpg)
www.percona.com
Fallacy
“Using stored procedures prevents SQL Injection.”
FALLACY
![Page 29: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/29.jpg)
www.percona.com
Static SQL in Procedures
CREATE PROCEDURE FindBugById (IN bugid INT)BEGIN SELECT * FROM Bugs WHERE bug_id = bugid;END
CALL FindByBugId(1234)
filtering by data type is a good thing
![Page 30: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/30.jpg)
www.percona.com
Dynamic SQL in Procedures
CREATE PROCEDURE BugsOrderBy (IN column_name VARCHAR(100), IN direction VARCHAR(4))BEGIN SET @query = CONCAT( 'SELECT * FROM Bugs ORDER BY ', column_name, ' ', direction); PREPARE stmt FROM @query; EXECUTE stmt;END
CALL BugsOrderBy('date_reported', 'DESC')
interpolating arbitrary strings = SQL injection
![Page 31: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/31.jpg)
www.percona.com
Worthy of TheDailyWTF
CREATE PROCEDURE QueryAnyTable (IN table_name VARCHAR(100))BEGIN SET @query = CONCAT( 'SELECT * FROM ', table_name); PREPARE stmt FROM @query; EXECUTE stmt;END
CALL QueryAnyTable( '(SELECT * FROM ...)' )http://thedailywtf.com/Articles/For-the-Ease-of-Maintenance.aspx
![Page 32: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/32.jpg)
www.percona.com
Myth
“Conservative SQL privileges limit the
damage.”
MYTH
![Page 33: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/33.jpg)
www.percona.com
Denial of Service
SELECT * FROM Bugs JOIN Bugs JOIN Bugs JOIN Bugs JOIN Bugs JOIN Bugs
100 bugs = 1 trillion rows
![Page 34: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/34.jpg)
www.percona.com
Denial of Service
SELECT * FROM Bugs JOIN Bugs JOIN Bugs JOIN Bugs JOIN Bugs JOIN Bugs ORDER BY 1
still requires only SELECT privilege
![Page 35: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/35.jpg)
www.percona.com
Just Asking for It
http://www.example.com/show.php? query=SELECT%20*%20FROM%20Bugs
![Page 36: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/36.jpg)
www.percona.com
Fallacy
“It’s just an intranet application―it doesn’t
need to be secure.”
FALLACY
![Page 37: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/37.jpg)
www.percona.com
Just Ask This Manager
![Page 38: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/38.jpg)
www.percona.com
What Stays on the Intranet?
•You could be told to give business partners access to an internal application
UPDATE Accounts SET password = SHA2('$password')WHERE account_id = $account_id
![Page 39: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/39.jpg)
www.percona.com
What Stays on the Intranet?
•Your casual code could be copied & pasted into external applications
UPDATE Accounts SET password = SHA2('$password')WHERE account_id = $account_id
UPDATE Accounts SET password = SHA2('$password')WHERE account_id = $account_id
![Page 40: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/40.jpg)
www.percona.com
What Stays on the Intranet?
• It’s hard to argue for a security review or rewrite for a “finished” application
$$$UPDATE Accounts SET password = SHA2('$password')WHERE account_id = $account_id
?
![Page 41: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/41.jpg)
www.percona.com
Myth
“My framework prevents SQL Injection.”
MYTH
![Page 42: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/42.jpg)
www.percona.com
ORMs Allow Custom SQL
•Dynamic SQL always risks SQL Injection, for example Rails ActiveRecord:
Bugs.all( :joins => "JOIN Accounts ON reported_by = account_id",
:order => "date_reported DESC")
any custom SQL can carry SQL injection
![Page 43: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/43.jpg)
www.percona.com
Whose Responsibility?
• Security is the application developer’s job
• No database, connector, or framework can prevent SQL injection all the time
![Page 44: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/44.jpg)
www.percona.com
Fallacy
“Query parameters do quoting for you.”
FALLACY
![Page 45: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/45.jpg)
www.percona.com
Interpolating Dynamic Values
•Query needs a dynamic value:
SELECT * FROM Bugs WHERE bug_id = $_GET['bugid']
user input
![Page 46: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/46.jpg)
www.percona.com
Using a Parameter
•Query parameter takes the place of a dynamic value:
SELECT * FROM Bugs WHERE bug_id = ?
parameter placeholder
![Page 47: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/47.jpg)
www.percona.com
How the Database Parses It
query
SELECT
FROM
WHERE
expr-list *
simple-table
expr
bugs
parameterplaceholder
?
bug_id
=equality
![Page 48: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/48.jpg)
www.percona.com
How the Database Executes It
query
SELECT
FROM
WHERE
expr-list *
simple-table
expr
bugs
1234
bug_id
=
parametervalue
equality
![Page 49: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/49.jpg)
www.percona.com
Interpolation
query
SELECT
FROM
WHERE
expr-list *
simple-table
expr
1234
bugs
bug_id
=
TRUE
OR
SQL injection
equality
![Page 50: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/50.jpg)
www.percona.com
Parameterization
query
SELECT
FROM
WHERE
expr-list *
simple-table
expr
bugs
1234 OR TRUE
bug_id
=
no parametercan change the tree
equality
![Page 51: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/51.jpg)
www.percona.com
Sequence of Prepare & ExecuteClient Server
parse query
send parameters
send SQL
optimize query
execute queryreturn results
prepare query
execute query
repeat with different parameters
bind parameters
convert to machine-readable form
![Page 52: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/52.jpg)
www.percona.com
Myth
“Query parameters prevent SQL Injection.”
MYTH
![Page 53: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/53.jpg)
www.percona.com
One Parameter = One Value
SELECT * FROM Bugs WHERE bug_id = ?
![Page 54: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/54.jpg)
www.percona.com
Not a List of Values
SELECT * FROM Bugs WHERE bug_id IN ( ? )
![Page 55: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/55.jpg)
www.percona.com
Not a Table Name
SELECT * FROM ? WHERE bug_id = 1234
![Page 56: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/56.jpg)
www.percona.com
Not a Column Name
SELECT * FROM Bugs ORDER BY ?
![Page 57: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/57.jpg)
www.percona.com
Not an SQL Keyword
SELECT * FROM Bugs ORDER BY date_reported ?
![Page 58: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/58.jpg)
www.percona.com
Interpolation vs. ParametersScenario Example Value Interpolation Parameter
single value ‘1234’ SELECT * FROM Bugs WHERE bug_id = $id
SELECT * FROM Bugs WHERE bug_id = ?
multiple values
‘1234, 3456, 5678’ SELECT * FROM Bugs WHERE bug_id IN ($list)
SELECT * FROM Bugs WHERE bug_id IN ( ?, ?, ? )
table name ‘Bugs’ SELECT * FROM $table WHERE bug_id = 1234
NO
column name ‘date_reported’ SELECT * FROM Bugs ORDER BY $column
NO
other syntax ‘DESC’ SELECT * FROM Bugs ORDER BY date_reported $direction
NO
![Page 59: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/59.jpg)
www.percona.com
Solution
Whitelist Maps
SOLUTION
![Page 60: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/60.jpg)
www.percona.com
Example SQL Injection
http://www.example.com/?order=date_reported&dir=ASC
<?php$sortorder = $_GET["order"];
$direction = $_GET["dir"];$sql = "SELECT * FROM Bugs
ORDER BY {$sortorder} {$direction}";$stmt = $pdo->query($sql);
unsafe inputs
SQL Injection
![Page 61: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/61.jpg)
www.percona.com
Fix with a Whitelist Map
<?php$sortorders = array( "DEFAULT" => "bug_id",
"status" => "status", "date" => "date_reported" );
$directions = array( "DEFAULT" => "ASC", "up" => "ASC", "down" => "DESC" );
application request values
SQL identifiers and keywords
![Page 62: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/62.jpg)
www.percona.com
Map User Input to Safe SQL
<?php
if (isset( $sortorders[ $_GET["order"] ])){ $sortorder = $sortorders[ $_GET["order"] ];} else { $sortorder = $sortorders["DEFAULT"];}
![Page 63: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/63.jpg)
www.percona.com
Map User Input to Safe SQL
<?php$direction = $directions[ $_GET["dir"] ] ?:
$directions["DEFAULT"];
PHP 5.3 syntax
![Page 64: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/64.jpg)
www.percona.com
Interpolate Safe SQL
http://www.example.com/?order=date&dir=up
<?php$sql = "SELECT * FROM Bugs
ORDER BY {$sortorder} {$direction}";$stmt = $pdo->query($sql);
whitelisted values
![Page 65: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/65.jpg)
www.percona.com
Benefits of Whitelist Maps
•Protects against SQL injection in cases where escaping and parameterization doesn’t help.
•Decouples web interface from database schema.
•Uses simple, declarative technique.
•Works independently of any framework.
![Page 66: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/66.jpg)
www.percona.com
Fallacy
“Queries parameters hurt SQL performance.”
FALLACY
![Page 67: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/67.jpg)
www.percona.com
Simple Query
0
0.001
0.002
0.003
0.004
MySQLMySQLi
MySQLi PrepPDO
PDO Prep
Profiled Elapsed
![Page 68: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/68.jpg)
www.percona.com
Complex Query
0
0.39
0.78
1.17
1.56
MySQLMySQLi
MySQLi PrepPDO
PDO Prep
Profiled Elapsed
![Page 69: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/69.jpg)
www.percona.com
Myth
“A proxy/firewall solution prevents SQL injection.”
MYTH
![Page 70: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/70.jpg)
www.percona.com
Oracle Database Firewall
•Reverse proxy between application and Oracle•Whitelist of known SQL queries• Learns legitimate queries from application traffic• Blocks unknown SQL queries • Also supports Microsoft SQL Server, IBM DB2,
Sybase ASE, SQL Anywhere• http://www.oracle.com/technetwork/database/database-firewall/overview/index.html
![Page 71: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/71.jpg)
www.percona.com
GreenSQL
•Reverse proxy for MySQL, PostgreSQL, Microsoft SQL Server
•Detects / reports / blocks “suspicious” queries:• Access to sensitive tables• Comments inside SQL commands• Empty password• An ‘or’ token inside a query• An SQL expression that always returns true
• http://www.greensql.net/about
![Page 72: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/72.jpg)
www.percona.com
Still not Perfect
•Vipin Samar, Oracle vice president of Database Security:• “Database Firewall is a good first layer of defense for
databases but it won't protect you from everything,” • http://www.databasejournal.com/features/oracle/article.php/3924691/article.htm
•GreenSQL Architecture• “GreenSQL can sometimes generate false positive
and false negative errors. As a result, some legal queries may be blocked or the GreenSQL system may pass through an illegal query undetected.”
• http://www.greensql.net/about
![Page 73: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/73.jpg)
www.percona.com
Limitations of Proxy Solutions
• False sense of security; discourages code review •Gating factor for emergency code deployment•Constrains application from writing dynamic SQL•Doesn’t stop SQL injection in Stored Procedures
![Page 74: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/74.jpg)
www.percona.com
Fallacy
“NoSQL databases are immune to SQL injection.”
FALLACY
![Page 75: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/75.jpg)
www.percona.com
“NoSQL Injection”
http://www.example.com?column=password
<?php$map = new MongoCode("function() {
emit(this." . $_GET["column"] . ",1); } ");
$data = $db->command( array( "mapreduce" => "Users", "map" => $map) );
any string-interpolation of untrusted contentis Code Injection
![Page 76: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/76.jpg)
www.percona.com
NoSQL Injection in the Wild
•Diaspora wrote MongoDB map/reduce functions dynamically from Ruby on Rails:• def self.search(query)
Person.all('$where' => "function() { return this.diaspora_handle.match(/^#{query}/i) || this.profile.first_name.match(/^#{query}/i) || this.profile.last_name.match(/^#{query}/i); }")end
• http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/
did query come from a trusted source?
![Page 77: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/77.jpg)
www.percona.com
Myths and Fallacies
• I don’t have to worry anymore
• Escaping is the fix
• More escaping is better
• I can code an escaping function
• Only user input is unsafe
• Stored procs are the fix
• SQL privileges are the fix
• My app doesn’t need security
• Frameworks are the fix
• Parameters quote for you
• Parameters are the fix
• Parameters make queries slow
• SQL proxies are the fix
• NoSQL databases are the fix
there is no single silver bullet—use all defenses when appropriate
![Page 78: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/78.jpg)
www.percona.com
SQL Antipatterns
http://www.pragprog.com/titles/bksqla/
![Page 79: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/79.jpg)
www.percona.com/live
New York, October 1-2, 2012London, December 3-4, 2012Santa Clara, April 22-25, 2013
![Page 80: SQL Injection Myths and Fallacies - Percona · LinkedIn.com •June 4, 2012. •Russian hackers posted 6.5 million user credentials acquired from LinkedIn.com. •The means of attack](https://reader033.vdocuments.mx/reader033/viewer/2022041711/5e481df8c515df1bf3715b9b/html5/thumbnails/80.jpg)
www.percona.com
License and Copyright
Copyright 2010-2012 Bill Karwinwww.slideshare.net/billkarwin
Released under a Creative Commons 3.0 License: http://creativecommons.org/licenses/by-nc-nd/3.0/
You are free to share - to copy, distribute and transmit this work, under the following conditions:
Attribution. You must attribute this work
to Bill Karwin.
Noncommercial. You may not use this work for commercial purposes.
No Derivative Works. You may not alter, transform,
or build upon this work.