Tuesday, March 17, 2009

SQL Injection: Tenderizing websites the world over

Some folks like to inject some sort of marinade into chicken/steak/whatever prior to stoking up the grill... I couldn't resist the title's play on words, but you do need to know about yet another thing that's somewhat new, that is yet another peril of doing e-commerce on the web - "SQL Injection".

SQL is a very popular language for manipulating databases, and it's practically a sure thing that you've accessed an SQL database server many times in your websurfing adventures. For instance, just this morning I took at look at the BAE Systems job search site, and got this:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near the keyword 'AND'.

/includes/local_subs.asp, line 1586

Which means roughly "this SQL-based database query engine is busted; come back later".

But back to SQL Injection - the problem is serious enough that that phrase has made it into the mainstream media - an article in USA Today describes the vulnerability in detail. The upshot for you, Dear Surfer, is to keep everything that you use to access web content updated with the latest patches - which is almost a job unto itself: the article mentions Internet Explorer, Firefox, Safari, Opera, Chrome, Adobe Flash, Adobe Reader, iTunes, QuickTime, Windows Media Player and RealPlayer. Most or all of those tools can be configured to check for updates, and more and more I'm turning that feature on. (Historically my philosophy has been "if it ain't broke don't fix it" in terms of software updates, but things have gotten to the point where I feel I just have to trust the vendors not to break stuff when they update their applications, in order to try to stay ahead of all of these vulnerabilities.)

No comments:

Post a Comment