Why it’s easy being a hacker – A SQL injection case study

Why it’s easy being a hacker – A SQL injection case study » Secure Solutions: Finding SQL injections today is like picking apples from an apple tree. It’s very easy, and anyone can do it. Ask any hacker you want, SQL injection is everywhere. There have been many folks predicting the end of SQL Injection, however, year after year we see it in the OWASP Top 10.

In my presentations on the topic I’ve said that the reason for this is not necessarily only the developers fault, but just as much the material they are teaching themselves with. Now it is time to put bang to the buck and prove it!

Lets do a Google search on e.g. “How to use PHP with MySQL” and check out the top 10 answers. I’ll do it for you and sum up the results:

• 1st result: Vulnerable to SQL Injection
• 2nd result: Does not show you how to handle user input. No use of prepared statements.
• 3rd result: Same as above. No prepared statements, only hardcoded value examples.
• 4th result: This is from php.net. It does not show how to query the database with user supplied values.
• 5th result: Does not show you how to handle user supplied input.
• 6th result: From w3schools.com. I changed the page to insert queries (from connecting to database) and they are all vulnerable to SQL Injection.
• 7th result: Youtube result which does not introduce how to use user supplied input. I click the next link on Youtube and that video is vulnerable to SQL Injection.
• 8th result: Vulnerable to SQL injection.
• 9th result: This was an irrelevant result. Skipping to next one and it operates on hardcoded values, and does not introduce the developer to user supplied values.
• 10th result: This one is from mysql.com. Vulnerable to SQL Injection!

So there you have it folks. The first 10 results on Google does NOT provide the developers with knowledge on how to properly use a database with user supplied input! Thank you for providing us security folks with jobs many years to come! There is no need to single-handedly blame the developers for SQL injection when the learning material is wrong from the beginning.

Of course some of these injections may be thwarted by say “PHP Magic Quotes” or other filtering services on the web/app-server.  This is however no excuse to not properly do safe queries in your examples. PHP.net even recommends turning off the magic quotes option.