Home > Humor, Technology > “Little Bobby Tables”… (or why SQL injection is serious)

“Little Bobby Tables”… (or why SQL injection is serious)

I’d seen this xkcd strip before, but someone here in the office brought it up again during a discussion of the discovery that some one was building SQL statements by using data right out of a grid. xkcd: Exploits of a Mom. Don’t let the title scare you, it’s safe, even for work, unless audible laughter isn’t allowed. In short it shows what can happen when you don’t properly sanitize your data before just stringing it along into a SQL Statement. In addition, it shows the importance of using parameters for input values when ever possible.

Oh, and it is possible to use parameters with dynamic SQL, in a future post I’ll show how that’s possible.

Advertisements
Categories: Humor, Technology
  1. April 6, 2011 at 11:22 am

    my forum uses PHP-Nuke, and I’m often bombarded by what I believe to be SQL Injection. I’ll get a dozen new “users” daily, but they have no IP address, and no traces of them or their fake email addresses can be found anywhere else. From time to time, one of them will post some spam in one of our topics. Oddly enough, it is usually in the same topic, although there are 6 topics to choose from, most of the time this spam ends up in the 2nd one. I’ve tried making the forum registration be limited to admin permission but that doesn’t stop these phantom users from being created.

    seeing that it’s a database created by the php-nuke application, I’m not sure what I can do about this. So, daily, I delete any user with no IP address, and scrutinize the new members that do have IPs. What can I do about this? And if I do something now, will it get lost if I have to upgrade to a newer version?

  2. April 6, 2011 at 11:29 am

    Best way I’ve seen to combat this is to prevent instant activation… force an email with an activation link to go out… I think PHPNuke has that capability. Legit users will usually find it as a minor annoyance, but it typically stops most dry-by posting bots. Also look for an RPCXML.php file or something with RPC in the name of the file in the root… it’s a special file that allows remote calls to be performed. Rename it, or delete it. In short it is generally a file that allows remote calls to be executed, if you know what you’re doing, you can manipulate it into letting a site do your bidding. It really should be called JediWebTricks.php.

    -tg

  3. Terry
    April 6, 2011 at 11:36 am

    did that (admin permissions).
    I’ll look for that RPC file.

  4. April 6, 2011 at 12:49 pm

    reminds me of a “successful” live demo of voice-activated software in Windows, where front-row audience member(s) shouted out commands that caused reformatting the demonstration PC’s harddrive

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: