Structured Query Language (SQL) - Cultural View of Technology

More documents

Recommendations

Info

SQL injection 94 Conditional errors This type of blind SQL injection causes an SQL error by forcing the database to evaluate a statement that causes an error if the WHERE statement is true. For example, SELECT 1/0 from users where username='Ralph'; the division by zero will only be evaluated and result in an error if user Ralph exists. Time delays Time Delays are a type of blind SQL injection that cause the SQL engine to execute a long running query or a time delay statement depending on the logic injected. The attacker can then measure the time the page takes to load to determine if the injected statement is true. Preventing SQL injection To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parameterized statements must be used (preferred), or user input must be carefully escaped or filtered. Parameterized statements With most development platforms, parameterized statements can be used that work with parameters (sometimes called placeholders or bind variables) instead of embedding user input in the statement. In many cases, the SQL statement is fixed, and each parameter is a scalar, not a table. The user input is then assigned (bound) to a parameter. This is an example using Java and the JDBC API: PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE USERNAME=? AND PASSWORD=?"); prep.setString(1, username); prep.setString(2, password); prep.executeQuery(); Enforcement at the database level Currently only the H2 Database Engine supports the ability to enforce query parameterization. [5] However, one drawback is that query by example may not be possible or practical because it's difficult to implement query by example using parametrized queries. Enforcement at the coding level Using object-relational mapping libraries avoids the need to write SQL code. The ORM library in effect will generate parameterized SQL statements from object-oriented code. Escaping A straight-forward, though error-prone, way to prevent injections is to escape characters that have a special meaning in SQL. The manual for an SQL DBMS explains which characters have a special meaning, which allows creating a comprehensive blacklist of characters that need translation. For instance, every occurrence of a single quote (') in a parameter must be replaced by two single quotes ('') to form a valid SQL string literal. In PHP, for example, it is usual to escape parameters using the function mysql_real_escape_string before sending the SQL query: $query = sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'", mysql_real_escape_string($Username),
SQL injection 95 mysql_query($query); mysql_real_escape_string($Password)); This is error prone because it is easy to forget to escape a given string. Real-world examples • On November 1, 2005, a high school student used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customers' information. [6] • On January 13, 2006, Russian computer criminals broke into a Rhode Island government web site and allegedly stole credit card data from individuals who have done business online with state agencies. [7] • On March 29, 2006, Susam Pal discovered an SQL injection flaw in an official Indian government tourism site. [8] • On March 2, 2007, Sebastian Bauer discovered an SQL injection flaw in the knorr.de login page. [9] • On June 29, 2007, a computer criminal defaced the Microsoft U.K. website using SQL injection. [10] [11] . U.K. website The Register quoted a Microsoft spokesperson acknowledging the problem. • In January 2008, tens of thousands of PCs were infected by an automated SQL injection attack that exploited a vulnerability in application code that uses Microsoft SQL Server as the database store. [12] • On April 13, 2008, the Sexual and Violent Offender Registry of Oklahoma shut down its website for 'routine maintenance' after being informed that 10,597 Social Security numbers from sex offenders had been downloaded via an SQL injection attack [13] • In May 2008, a server farm inside China used automated queries to Google's search engine to identify SQL server [12] [14] websites which were vulnerable to the attack of an automated SQL injection tool. • In 2008,at least April through August, a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL Server database server. The attack doesn't require guessing the name of a table or column, and corrupts all text columns in all tables in a single request. [15] A HTML string that references a malware JavaScript file is appended to each value. When that database value is later displayed to a website visitor, the script attempts several approaches at gaining control over a visitor's system. The number of exploited web pages is estimated at 500,000 [16] • On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack. In reportedly "the biggest case of identity theft in American history", the man stole cards from a number of corporate victims after researching their payment processing systems. Among the companies hit were credit card processor Heartland Payment Systems, convenience store chain 7-Eleven, and supermarket chain Hannaford Brothers. [17] • In December 2009, an attacker breached a RockYou! plaintext database containing the unencrypted usernames and passwords of about 32 million users using an SQL injection attack. [18]
Page 1 and 2:
Structured Query Language (SQL) SQL
Page 3 and 4:
Nested SQL 72 Object-oriented SQL 7
Page 5 and 6:
SQL 1 SQL Paradigm Multi-paradigm A
Page 7 and 8:
SQL 3 result set. SELECT * FROM Boo
Page 9 and 10:
SQL 5 • MERGE is used to combine
Page 11 and 12:
SQL 7 REVOKE SELECT, UPDATE ON My_t
Page 13 and 14:
SQL 9 2008 SQL:2008 Legalizes ORDER
Page 15 and 16:
SQL 11 [9] ANSI/ISO/IEC Internation
Page 17 and 18:
SQL:2003 13 [11] http://www.iso.org
Page 19 and 20:
Advantage Database Server 15 • Sm
Page 21 and 22:
Call Level Interface 17 Call Level
Page 23 and 24:
Check Constraint 19 Check Constrain
Page 25 and 26:
Commit (data management) 21 Commit
Page 27 and 28:
Correlated subquery 23 Correlated s
Page 29 and 30:
CUBRID 25 Linux Foundation Silver S
Page 31 and 32:
CUBRID 27 References [1] http://www
Page 33 and 34:
Cursor (databases) 29 Scrollable cu
Page 35 and 36:
Cursor (databases) 31 Disadvantages
Page 37 and 38:
Data Definition Language 33 Data De
Page 39 and 40:
Data Manipulation Language 35 Data
Page 41 and 42:
Database Console Commands (Transact
Page 43 and 44:
Page 45 and 46:
Page 47 and 48: DbForge Studio for MySQL 43 • Dat
Page 49 and 50: Declarative Referential Integrity 4
Page 51 and 52: Devgems Data Modeler 47 External li
Page 53 and 54: Embedded SQL 49 External links •
Page 55 and 56: EnterpriseDB 51 EnterpriseDB also o
Page 57 and 58: Epictetus Database Client 53 Extern
Page 59 and 60: Foreign key 55 SET NULL The foreign
Page 61 and 62: FSQL 57 Comparator for Possibility
Page 63 and 64: Hint (SQL) 59 Hint (SQL) In various
Page 65 and 66: HSQLDB 61 Transaction support HSQLD
Page 67 and 68: MaxDB 63 MaxDB Stable release 7.6.0
Page 69 and 70: Meta-SQL 65 Meta-SQL 'Meta-SQL' Use
Page 71 and 72: MySQL Workbench 67 MySQL Migration
Page 73 and 74: MySQL Workbench 69 [14] MySQL Workb
Page 75 and 76: Navicat 71 Free version Navicat Lit
Page 77 and 78: PL/pgSQL 73 PL/pgSQL PL/pgSQL (Proc
Page 79 and 80: PL/SQL 75 User-defined exceptions a
Page 81 and 82: PL/SQL 77 A selection of other data
Page 83 and 84: PL/SQL 79 Array handling PL/SQL ref
Page 85 and 86: PL/SQL 81 Similar languages PL/SQL
Page 87 and 88: Query optimizer 83 Join ordering Th
Page 89 and 90: Query plan 85 Query plan A query pl
Page 91 and 92: Rollback (data management) 87 Rollb
Page 93 and 94: SQL CLR 89 External links • MSDN:
Page 95 and 96: SQL Problems Requiring Cursors 91 S
Page 97: SQL injection 93 Incorrect type han
Page 101 and 102: SQL/CLI 97 SQL/CLI The SQL/CLI, or
Page 103 and 104: SQL/Schemata 99 SQL/Schemata The SQ
Page 105 and 106: SQLPro SQL Client 101 SQLPro SQL Cl
Page 107 and 108: Scriptella 103 Scriptella Stable re
Page 109 and 110: SQL/JRT 105 SQL/JRT The SQL/JRT, or
Page 111 and 112: SQuirreL SQL Client 107 History The
Page 113 and 114: Table (database) 109 An equally val
Page 115 and 116: Truviso 111 Truviso Industry Softwa
Page 117 and 118: User-defined function 113 User-defi
Page 119 and 120: User-defined function 115 SAS_Stude
Page 121 and 122: View (database) 117 View (database)
Page 123 and 124: View (database) 119 for processing.
Page 125 and 126: Windows Internal Database 121 Exter
Page 127 and 128: XLeratorDB 123 Analytic functions S
Page 129 and 130: XLeratorDB 125 [27] See general Bus
Page 131 and 132: Article Sources and Contributors 12
Page 133 and 134: Image Sources, Licenses and Contrib
show all

Structured Query Language (SQL) - Cultural View of Technology

Create successful ePaper yourself

Delete template?

Save as template?