SQL Injection attacks

The recent attack on the Royal Navy site using SQL Injection techniques is a timely reminder to anyone still leaving their database unprotected.

The good news is you can quite easily reduce the risk of an injection attack. They take place when a site allows data input fields on a form access to basic SQL commands. By adding extra words to the end of a form input field SQL statements can be run in addition to the original designed statement. These commands can be quite simple for example, firstly select a list of tables, then select the data in the tables. As this operates at the database layer a connection has already been made by the software to the database so login details aren’t required.

There are simple functions that use basic escape mechanisms to protect the data input. The most common  is escaping the data, which may not be the strongest security measure. The input string is read and if the function finds certain characters it will ‘escape’ or add a ‘\’ character in front of the relevant character. There are still ways around this so to be safe the query to the database should be ‘parameterized’ that is the input string is broken up and selected parts are passed to the SQL query. Basic functions exist in most programming languages to do this task.

 Better yet, and good practice anyway, is to use stored procedures as these are totally parameterized. It isn’t particularly complicated, but it is a bit of a pain to do … if in doubt ask your web designer!

Security starts at home

As soon as the dust settles on one crisis story about internet security, another pops up.

As developers we are on scores of mailing lists, and it is no surprise to find that the bulk of our alerts come from the security business sector. Usually alomg with a ‘cure’ for the particular ailment. It seems to be a bit like going to the Doctor and being advised to take cough medicine from his own brand medicines, even if you only went with a sore foot.

It is pity really, as it can take a bit of time to sort the wheat from the chaff, or coughs from the limps.

The key theme that comes through again and again is that you must keep yourself secure, regular password changes, careful of the type of data you put out onto the internet, check privacy policies etc..

For those of you who might remember Hill Street Blues the phrase goes – ‘Let’s be careful out there!’

Not another ‘End of the world’!

2012 is getting filled up slowly but surely with end of world scenarios.

In true prophet of doom style we now hear that all IP addresses will run out, meaning no more internet connections. While it is true that the ‘old’ system of IP ranges will no longer suffice there is a fix already in place.

I can remember in the late 90′s having discussions about the IP addresses running out. The internet explosion hadn’t really hit at that time and the discussion was about workplace networks and business use. Unlike IPv4, which is 32 bit based e.g. 192.190.190.190, IPv6 is 128 bits long and uses hex rather than decimal notation e.g. 3dfe:1940:4545:3:200:feff:fe51:67df. We can jump from a ‘maximum’ of 4,294,967,296 IPv4 addresses to over 300,000,000,000,000,000,000,000,000,000,000,000,000 IPv6 address.

IPV6 already has achieved wide adoption, but like most things human we have left switching to the new system to the last minute. Most operating systems can deal with IPV6 already so that shouldn’t be an issue.

As with the ‘millenium bug’ lets not tear our hair out about this one, though soon it will be the turn of another dire warning about the global use of IT.