BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ
News Articles Presentations Podcasts Guides

Topics

Choose your language

QCon London

Discover new ideas and insights from senior practitioners driving change in software. Attend in-person.
QCon San Francisco: Video-Only Pass

Video-Only Pass for professionally edited conference recordings.
The Software Architects' Newsletter

Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.

InfoQ Homepage News Study Shows That 11% of Sites Are Vulnerable to SQL Injection Attacks

Study Shows That 11% of Sites Are Vulnerable to SQL Injection Attacks

Bookmarks

Sep 30, 2006 less than one minute

Write for InfoQ

Join a community of experts. Increase your visibility.
Grow your career.Learn more

In an informal study, Michael Sutton of SPI Dynamics was able to demonstrate that 80 out of 708 tested web sites were susceptible to SQL injection attacks.

In order to limit the test to sites that used a database, he first performed a Google search for sites with URLs containing "id=10". The assumption was that any site using a name=number pattern in the query string was most likely doing a database lookup. Using this, 1000 sites were selected.

After removing duplicates and non-functional sites, Michael Sutton was left with a pool of 708 candidate sites. By altering the query string, he found that 80 sites were returning error messages that suggested they were vulnerable to SQL injection attacks.

While study may not be formal enough for an academic paper, it does suggest that SQL vulnerabilities are a wide-spread problem among websites.

Rate this Article

Adoption
Style

This content is in the Database topic

Related Topics:

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • Protection against SQL Injection (request for comments)

    by Thomas Mueller,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    There is an abvious way to protect against this vulnerability: don't embed user input into the SQL statement, use parameterized statements instead. I suggest that this should be enforced by the database engine (or, by the driver), by disabling literals in SQL statements. See here for more details:

    www.h2database.com/html/advanced.html#sql_injec...

    What do you think about this solution?

    Back to top
  • Re: Protection against SQL Injection (request for comments)

    by Paul H,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    It's the standard solution :).
    Other problems (derived from the request params issues) might occur like removal/retrieval of items, for what you don't have credentials, common mistake in all the web apps, but that's a design problem.

    It would be nice to hear about solutions to avoid such flaws. I saw a few months ago an article about encrypting the url params etc, but i can't find the link :(.

    Back to top
  • lies damn lies...

    by Jelmer Kuperus,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    pfff or an error is shown because the parameter cannot be parsed to a string. This doesnt say anything

    Back to top

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT