The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

    20140417-Windows-8.1-Update-says-it-failed-but-it-succeeded

    20140417-Windows-8.1-Update-says-it-failed-but-it-succeeded--Windows-Help-and-Support--cannot-find-any-info--how-surprising-it-never-does

    20140329-VMware-vSphere-Client-4.1-retry-with-compatibility-settings

    More Photos
  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,250 other followers

Great session on how to prevent SQL Injection Myths and Fallacies

Posted by Jeroen Pluimers on 2012/08/15

A few weeks ago, Bill Karwin did a must watch webinar on the prevention SQL Injection titled  “SQL Injection Myths and Fallacies“.

Bill Karwin (twitter, new blog, old blog, Amazon) is famous for much work in the SQL database community, including InterBase/Firebird, mySQL, Oracle and many more.

He also:

Anyway, his webinar is awesome. Be sure to get the slides, watch the replay, and read the questions follow up.

Watching it you’ll get a better understanding of defending against SQL injection.

A few very valuable points he made:

  • Escaping is not the solution, and multiple levels of escaping only makes life harder
  • SQL parameter objects aren’t always a solution for SQL injection as they can only be used for parameter values (and for instance not for table or column names, or for other SQL syntax like an ORDER BY direction)
  • If you have to translate user input to SQL, then map it to safe SQL, not
  • Database Firewalls aren’t 100% fool proof (generate false positives and false negatives)
  • NoSQL doesn’t suffer from SQL-injection, but from NoSQL-injection

You’d think that many examples in PHP makes this only valuable for web applications.

Not!

I’ve seen so many native apps suffering from SQL injection, that this session is a “must watch” for any developer.

Non web-apps I have seen fail use technologies like .NET, Xcode, C++ and Delphi and a variety of platforms (Windows, Mac, mobile, you name it).

He will repeat this session during Percona Live at these dates:

  • New York, October 1-2, 2012
  • London, December 3-4, 2012
  • Santa Clara, April 22-25, 2013

If you are nearby, try to get there, he is a very entertaining speaker!

–jeroen

via SQL Injection Myths and Fallacies.

One Response to “Great session on how to prevent SQL Injection Myths and Fallacies”

  1. I remember dealing with SQL injection issues in the past. I thought there was a quick way (one call) to make sure all strings entered were clean?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 1,250 other followers

%d bloggers like this: