Sam, I do a lot of work in this field and yes, developers without any knowledge of what SQL Injection (or even XSS) is are the main culprit. Even with the current "tools" (.net, asp.net..) SQL Injection and XSS are very common. I've seen loads of production apps with potential issues but, as long as "nobody is hurt in some shape or form" nobody bothers to fix them. "Hey, we've never been attacked" is the most common answer. But nobody can answer the question: "How do you know you've never been attacked? Do you keep proper logs, do you have any clue if there isn't someone out there who has a complete copy of your database without you knowing it?" Just few weeks ago I've managed to do an relatively trivial XSS injection on a popular .Net CMS system that's been out for ages. You kind of expect in "good, reputable, solid" systems these type of issues to be ironed out but heck, no, they are still there.
Now, in the defense of some of these "developers" there are several scenarios that are actually very hard to code safely even by an experienced developer with loads of understanding of SQL Injection attacks. The best example is a complex search procedure for a website that has to take different parameters so it's best to build the query based on the input parameters. E.g. Search only some columns, filter by vendor, category, manufacturer, maybe some checkboxes. Writing such a search is not easy if you want it optimized and well performing, and this is quite often the Achilles's heel. Having a SQL Injection in any other scenario is a sign of pure low quality development. Regards, Corneliu. PS>> Shameless Plug: I wrote a tool XSSAttack that can simulate a successful XSS attack on your database. You can then see how your site behaves once the XSS attack succeeded. Give it a try :) I challenge every one of you that are developing websites :) http://xssattack.codeplex.com/ On Wed, Sep 1, 2010 at 5:35 PM, mike smith <[email protected]> wrote: > On 1 September 2010 15:06, Craig van Nieuwkerk <[email protected]> wrote: > >> > >> > I don't see how any legitimate programmer could claim to be unaware of >> > such an issue; it's a core concept about how programming works. They >> > may as well be confused that comments don't compile. >> > >> >> Of the hundred plus developers I have worked with over the years, most >> would stare at you blankly if you mentioned sql injection. Just the >> other day I had to go to great lengths to explain it to some pretty >> experienced developers. >> >> > > Point them here. > > http://xkcd.com/327/ > > > > > > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, > you'll get it, but it's going to be rough" - Adam Hills >
