Why it’s easy being a hacker – A SQL injection case study

Why it’s easy being a hacker – A SQL injection case study » Secure Solutions: Finding SQL injections today is like picking apples from an apple tree. It’s very easy, and anyone can do it. Ask any hacker you want, SQL injection is everywhere. There have been many folks predicting the end of SQL Injection, however, year after year we see it in the OWASP Top 10.

In my presentations on the topic I’ve said that the reason for this is not necessarily only the developers fault, but just as much the material they are teaching themselves with. Now it is time to put bang to the buck and prove it!

Lets do a Google search on e.g. “How to use PHP with MySQL” and check out the top 10 answers. I’ll do it for you and sum up the results:

So there you have it folks. The first 10 results on Google does NOT provide the developers with knowledge on how to properly use a database with user supplied input! Thank you for providing us security folks with jobs many years to come! There is no need to single-handedly blame the developers for SQL injection when the learning material is wrong from the beginning.

Of course some of these injections may be thwarted by say “PHP Magic Quotes” or other filtering services on the web/app-server.  This is however no excuse to not properly do safe queries in your examples. PHP.net even recommends turning off the magic quotes option.