Great session on how to prevent SQL Injection Myths and Fallacies
Posted by Jeroen Pluimers on 2012/08/15
A few weeks ago, Bill Karwin did a must watch webinar on the prevention SQL Injection titled “SQL Injection Myths and Fallacies“.
- was product manager of InterBase (its screaming multi-generational database architecture - invented in the 80s by Jim Starkey, based on immutability now far more widespread and called MultiVersion Concurrency Control - still baffles many people)
- worked on Firebird
- is author of the book The Pragmatic Bookshelf | SQL Antipatterns: Avoiding the Pitfalls of Database Programmings, available on Amazon.
- is autohor of IBPerl
- is frequent answerer on many SQL related forums and QA sites, for instance Bill on StackOverflow
Watching it you’ll get a better understanding of defending against SQL injection.
A few very valuable points he made:
- Escaping is not the solution, and multiple levels of escaping only makes life harder
- SQL parameter objects aren’t always a solution for SQL injection as they can only be used for parameter values (and for instance not for table or column names, or for other SQL syntax like an ORDER BY direction)
- If you have to translate user input to SQL, then map it to safe SQL, not
- Database Firewalls aren’t 100% fool proof (generate false positives and false negatives)
- NoSQL doesn’t suffer from SQL-injection, but from NoSQL-injection
You’d think that many examples in PHP makes this only valuable for web applications.
I’ve seen so many native apps suffering from SQL injection, that this session is a “must watch” for any developer.
Non web-apps I have seen fail use technologies like .NET, Xcode, C++ and Delphi and a variety of platforms (Windows, Mac, mobile, you name it).
He will repeat this session during Percona Live at these dates:
- New York, October 1-2, 2012
- London, December 3-4, 2012
- Santa Clara, April 22-25, 2013
If you are nearby, try to get there, he is a very entertaining speaker!