Rather than manually checking the values for special characters, etc. just make sure you use parameter-ized queries in JDBC. It will escape everything correctly for you.
----- Original Message ----- From: "Vincent Greene" <vincent.gre...@cxtown.com> To: jug-discussion@tucson-jug.org Sent: Wednesday, February 11, 2009 8:58:18 AM GMT -07:00 U.S. Mountain Time (Arizona) Subject: RE: [jug-discussion] another suggestion Basically SQL injection attacks are based on exploiting poor SQL generation to run things to really don’t want to happen on a web application. Suppose you have a web application that accepts input from an HTML form and stores in the variable “searchword”, then in your code you naively use string manipulation to create an SQL statement to run: e.g. String sql = “select values from searchtable where searchterms like \’%” + searchword + “/’”; Then you use JDBC to run that statement and return the list of values to the web page in some way. If there is no checking of the value that is passed in, a hacker could set the searchword parameter to: “bogussearch%’;drop table searchtable;’” And completely ruin your day, because when you run the SQL statement in your code, you get: select values from searchtable where searchterms like ’%bogussearch%’;drop table searchtable;’’ So, it will return the search results as expected (keeping your app from crashing on that transaction, then drop the searchtable, causing you a great deal of trouble. The exact syntax of the attack varies from running undesired SQL statements to running arbitrary commands on the target machine. Different DBMS system have different vulnerabilities related to SQL injection, but none are completely safe. To prevent them, you must always range check any values that are coming from user input for size and content (e.g. no special characters). Please note that you cannot do that with javascript (or any other browser scripting language), because a hacker will simply bypass that and directly feed a HTTP GET or POST directly to the server. – the validation has to be in server side code. A (better) explanation can be found at: http://en.wikipedia.org/wiki/SQL_injection From: liz_ravenw...@beaerospace.com [mailto:liz_ravenw...@beaerospace.com] Sent: Wednesday, February 11, 2009 8:29 AM To: jug-discussion@tucson-jug.org Subject: [jug-discussion] another suggestion I'm sorry I had to leave last night. Rene, that was very interesting. You did a good job and I'm glad I went. Gosh I have a lot to learn! Anyway, I've been hearing things about this sql injection threat and that the Mars Rover actually had that issue. Could anyone explain what it is and how to prevent it? Respectfully, Liz, Data Base Administrator, Methods Engineering --------------------------------------------------------------------------------------------------------- This email (and all attachments) is for the sole use of the intended recipient(s) and may contain privileged and/or proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ***************************************************************************** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this message in error, please contact the sender and delete the material from any computer. *****************************************************************************
