Author Topic: Why is SQL Injection such a problem?  (Read 562 times)

0 Members and 1 Guest are viewing this topic.

Offline theKit

  • Devotee
  • **
  • Posts: 178
    • View Profile
Why is SQL Injection such a problem?
« on: October 28, 2014, 10:44:04 pm »
Usually when you hear about some big ass company getting some sort of data breach (Sony), it more often than not is pointed out that the attack was SQL injection. I've not studied it too deeply but everywhere I go I keep getting the same advice - prepared statements. If it's as simple as separating your SQL and parameters, why are big time companies still getting hit? Didn't the guy who got all those SSN's from that Oregon (or wherever) unemployment office use an SQL attack? How could someone put in charge or writing scripts dealing with such sensitive information not be using prepared statements if that's all it takes to prevent injection?   

Offline Lanny

  • Zealot
  • ****
  • Posts: 1,123
    • View Profile
Re: Why is SQL Injection such a problem?
« Reply #1 on: October 28, 2014, 11:13:34 pm »
SQL injection is less common than it used to be, in part due to a public education campaign and in part because there's a move away from having humans write SQL. It still happens though, and I think the reason it was such a problem is it's pretty tempting to just stick some strings together and throw it at your DB. Like it seems easy to just use prepared statements, and it is, but when you're sitting there with strings, everyone knows the string API, not so much whatever db driver they happen to be using. Just one of those occasional pitfalls of laziness I guess.

Offline aldra

  • Arch Disciple
  • ***
  • Posts: 623
  • albrecht drais
    • View Profile
Re: Why is SQL Injection such a problem?
« Reply #2 on: October 28, 2014, 11:39:37 pm »
programmers can be very, very lazy... especially those who do it for a day job, in my experience. a lot of the time they don't care about security until something gets hacked, infected etc.

also, large companies tend to split jobs into modules and have different programmers or groups work on different parts of the application... a php programmer that knows very little SQL may write a few page-driven queries, and as long as the page works it may never get audited.

Offline LiquidIce

  • Adherent
  • *
  • Posts: 52
    • View Profile
Re: Why is SQL Injection such a problem?
« Reply #3 on: November 05, 2014, 09:44:16 am »
programmers can be very, very lazy... especially those who do it for a day job, in my experience. a lot of the time they don't care about security until something gets hacked, infected etc.

also, large companies tend to split jobs into modules and have different programmers or groups work on different parts of the application... a php programmer that knows very little SQL may write a few page-driven queries, and as long as the page works it may never get audited.

I'd also add the fact that people have deadlines. I never knew this was such a big thing until I got my first real job. Before that I thought I was a code cowboy and suddenly I began making ridiculously stupid code because there simply wasn't enough time to think over the problem, how it fits into the grand design, nor to even write tests. All those things I've heard about TDD, integration testing, architecture? Out the window they go because programmer time is money and managers can't understand that investing more time now means saving time on maintenance down the road - only the now matters.