Are you shitting me?
An SQL injection attack? Really? Is this where we *still* are? Whomever wrote that system needs to be flogged with several extraneous semicolons.
Dutch authorities have shuttered a transit website after a hacker demonstrated it gave him access to addresses, birthdates, and other sensitive information belonging to some 168,000 passengers. Ironically, Ervaar het OV, which translates to "Experience the OV," was intended to promote the use of smartcards on the OV system by …
Remember this is government IT, so it was done on the cheap. They got some people to make the site. It's probably their first main site and since they just learnt about SQL and databases, they didn't bother to read about security. They did some code and saw it works and then just submitted it without bothering to learn about secure code. That's the problem with easy "programming languages" and those who do not learn secure coding or proper programming techniques.
Yes, this still where we are, along with PHP. Never mind the attack method, or secure coding, or programming language simplicity, these are still the foundations for websites\servers. Security is another issue altogether. I'm thinking the implications are more a reflection on the mindset of the sites owner, or their attitude towards their users information security, the attack is just a byproduct that highlights that.
> SQL injection flaws are the result of poorly written web applications that fail to vet user-supplied input before passing it to back-end systems.
Yes and no - the security needs to be present on the back-end systems too, or what's to stop people circumventing the front-end system entirely and just sending their own hand crafted queries and commands to the back end.
Server software shouldn't assume it's talking to a friend.
Biting the hand that feeds IT © 1998–2019