Oct 23: Seoul:
WebAppsCon
WebAppsCon
Oct 27: Boston:
SD Best Practices
SD Best Practices
Feb 24: Miami:
Future of Web Apps
Future of Web Apps
|
|
Oct 23: Seoul:
WebAppsCon Oct 27: Boston:
SD Best Practices Feb 24: Miami:
Future of Web Apps |
|
Wanted: Web Game Developer
at Hive7 (Palo Alto, CA).
See this and other great job listings at
jobs.joelonsoftware.com.
What's a SQL Injection Bug?This item ran on the Joel on Software homepage on Wednesday, November 01, 2006I tried to sign up for an online site. The signup page wanted a secret question and secret answer. For the secret question, I put “what is aunt Vera's cat's color”. It complained about the apostrophe in the question. OK, fine. I deleted that apostrophe. For the secret answer, I put “Aunt Vera doesn't have a cat.” And I got this: 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't have a cat', 'male')' at line 1 This means that the programmers are in the habit of taking strings that they got from the user (i.e. GET or POST parameters) and concatenating them together with other bits and pieces of SQL to generate SQL statements. For example, in PHP with PostgreSQL:
(For non-PHP programmers: “.” is the string concatenation operator). I'm not surprised that they are in the habit of doing this; a lot of programming books, tutorials, and documentation use examples like this. Unfortunately it's a gigantic security hole called SQL injection. The user, if malicious, can close the string that you opened, finish your select statement, put in a semicolon (the SQL statement separator), and then type any SQL code they want, and it will run. So, for example, if the user supplies this as name:
... the SQL statement executed will be:
... which will do exactly what it looks like: it will delete the entire table of accounts. This is an extremely common problem: Michael Sutton did a little research project and found that 11.3% of web applications have SQL injection vulnerabilities. My new book is here! Apress has just published a new collection of 36 essays from Joel on Software, aptly named More Joel on Software. Get yours today! Available from Amazon.com or wherever fine cheese is sold. About the Author: I’m your host, Joel Spolsky, a software developer in New York City. Since 2000, I've been writing about software development, management, business, and the Internet on this site. For my day job, I run Fog Creek Software, makers of FogBugz—the smart bug tracking software with the stupid name, and Fog Creek Copilot—the easiest way to provide remote tech support over the Internet, with nothing to install or configure. Enter your email address to receive a (very occasional) email whenever I write a major new article. You can unsubscribe at any time, of course. |
I'm your host, Joel Spolsky, a software developer in New York City. Since 2000, I've been writing about software development, management, business, and the Internet on this site. More about me.
There's a complete archive of everything going back to 2000. The home page is reserved for minor, ephemeral thoughts, but occasionally I write a longer article. You can sign up to receive email whenever this happens at the bottom of this page. We also have one of those RSS thingamajiggies. If you don't know what that is, consider yourself lucky.
This site is actively translated by volunteers around the world into more than thirty languages.
Want to hire great developers? Looking for a job that doesn't suck? Over 200,000 great programmers read my job board at jobs.joelonsoftware.com.
 Jeff Atwood and I have a weekly podcast on IT Conversations where we chat about software development, especially the new website we're building, stackoverflow.com.Have feedback? There are several popular discussion boards on this site: Joel on Software
Business of Software Design of Software .NET Questions TechInterview.org CityDesk FogBugz Fog Creek Copilot You can also email me directly, although my mailbox is an official disaster area.
For my day job, I'm the CEO of Fog Creek Software, a bootstrapped software company in New York, NY.
 We make FogBugz, a bug tracking system that actually works and can be used to manage everything your development team does, from bug tracking to customer email to feature management to project scheduling and so much more. Free online trial.We also make Fog Creek Copilot, which lets you control someone else's computer (with their permission, of course) over the Internet. It's the best way to fix someone's computer problems remotely. There's nothing to install, it's simple as heck, and it works through any kind of firewall, NAT, or proxy situation with zero configuration. More
If you're in college, Fog Creek Software has a very cool paid internship program (last year's interns developed Copilot in one summer). We also run a Software Management Training Program, an intensive two year program for college graduates to learn about managing high tech that combines a Masters in Technology Management with extensive hands-on experience in a variety of positions.
Wondering what it's like to develop software at Fog Creek? The documentary Aardvark'd covers the story of the development of Copilot. It's available on DVD.
Fog Creek co-founder Michael Pryor has his own site on Technical Interview Questions.
 The entire contents of this site represent the opinions of one person. This site is built with CityDesk and hosted by Peer 1 Network. © 1999-2008 Joel Spolsky. All Rights Reserved. Linking, quoting and reprinting
|
|
| Home | Email | Bug Tracking Software | Remote Assistance | Complete Archive | ||
