Sign in / up

back to article E-shopkeepers stabbed with SQL needles 'twice' as much as other sites

Retailers suffer twice as many SQL injection attacks on their systems as other industries, according to a new study by data-centre security firm Imperva, which claims the ferocity of web-based assaults is growing. The fourth annual edition of Imperva's Web Application Attack Report [PDF] also revealed that e-shopping …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. PassiveSmoking
    FAIL

    Bobby Tables

    This kind of exploit is sickeningly easy to avoid, yet crops with depressing regularity.

    PHP, for example, has several mechanisms to avoid SQL injection (use of the DBMS parameterized/prepared statement mechanisms, input validation and filtering), yet the amount of times I see people asking questions on Stack Overflow where the've obviously followed a tutorial from the PHP 4 days and written stuff like the following just makes me want to quit web development and take up mushroom farming instead.

    mysql_query ('INSERT INTO TABLE (column) VALUES (' . $_GET ['field'] . ')');

    Doesn't anyone read XKCD?

    http://xkcd.com/327/

    4 0
    1. Steven Roper
      Reply Icon

      Re: Bobby Tables

      Exactly. So here I'll post some code that prevents this kind of attack for anyone who hasn't yet figured it out for themselves. I'll even give it away free for anyone to use!

      define (MAXLEN_FIELD, 255); //or however many characters long your field is if it's text

      If the element being stored is numeric:

      $db_array['field'] = isset($_POST['field']) ? (int)($_POST['field']) : 0;

      or if it's text:

      $db_array['field'] = isset($_POST['field']) ? substr(mysql_real_escape_string($_POST['field']), 0, MAXLEN_FIELD) : '';

      then:

      if (mysql_query ("INSERT INTO table (field) VALUES ('".$db_array['field']."')")){

      $message = "Data stored successfully";

      }else{

      $message = "There was a problem storing your data";

      }

      echo $message;

      This will protect you from the vast majority of SQL injection attacks as well as truncating over-long strings (such as might be used in a buffer overflow attack). It's not that hard.

      0 0
  2. Anonymous Coward
    Anonymous Coward

    And many online retailers will ....

    ......continue to do sweet f*ck all.. Why? Because the bottom line is all that maters, and tech spending to make sites more robust just isn't in the budget..... My credit card got hit travelling to the USA. After I ruled out any issue with my set-up I wrote to all the retailers involved, They all point blank denied that any breach had occurred on their site or with any of their payment processors. C'mon!!!!

    0 0
  3. Anonymous Coward
    Anonymous Coward

    "software that does not correctly or sufficiently clean up user-submitted data"

    What kind of e-commerce packages are these people using?

    Relying on cleaning up user-submitted data alone is asking for trouble. It's far better to design things properly to start with - e.g. parametrized stored procedures or linq-to-SQL, etc. and definitely no inline SQL.

    1 0

  4. This post has been deleted by its author

    1. Khaptain Silver badge
      Reply Icon

      Re: Politician's 'perfect 'solution for a 'perfect world'

      Looks like someone posted to the wrong forum......

      Or was it the word "injection" that got you going.....

      0 0
  5. Ol'Peculier

    And in other news... woman gives birth.

    Honestly, SQL injection is not exactly the newest tool in the hackers box is it?

    1 0
  6. William Boyle

    SQL injection is not the issue

    The issue is that web application developers are using bad practices that allow such attacks. In fact, eliminating them is trivial. The application vendors are the ones who should be held liable. If the web site owner is responsible, then they should suffer the financial and legal consequences; however, normally there is a commercial software vendor who is responsible.

    1 0
  7. Anonymous Coward
    Facepalm

    SQL injection attacks and stored procedures ..

    "Retailers suffer twice as many SQL injection attacks on their systems as other industries, according to a new study by data-centre security firm Imperva, which claims the ferocity of web-based assaults is growing" ..

    Well then, why not put all your SQL statements in stored procedures, and/or put some sanity checking in the string returned to the server ..

    0 0
  8. intrigid

    I maintain that if aliens visit our planet and study our society, their first question will be why all our database commands are passed back and forth in alphanumeric strings.

    1 0
  9. Allan George Dyer
    Facepalm

    "Retailers suffer twice as many SQL injection attacks"

    I wonder why that is? In other news:

    Robbers target banks

    Ursines defecate in arboreal locations

    Pope confirms his Catholicism

    0 0
This topic is closed for new posts.