Posts Tagged ‘Prepared Statements’

Understanding SQL Injection Vulnerabilities

Thursday, April 25th, 2013

Every now and then I get a report from some security auditor that Plumtree (or ALUI or WCI) has a “SQL Injection Vulnerability“. While this blog has seen more than one security-related post, SQL Injection is not a likely attack vector.

The reason for this is simply that WebCenter Interaction (and BEA ALUI before that, and Plumtree before that – this thing has always had a very solid foundation!) uses PREPARED STATEMENTS (and, to a lesser extent, STORED PROCEDURES). The above wiki post describes how SQL injections work, and this post describes things exceptionally well:

You can either use BAD SQL that exposes the application to SQL injection:

Statement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')"); stmt.execute();

… or you can use GOOD CODE to avoid it:

Statement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)"); stmt.setString(1, user); stmt.execute();

Now, lets say that a malicous end user enters a value of ‘Robert’); DROP TABLE students; — for their user name.

The first example would run this SQL Statement:

INSERT INTO student VALUES('Robert'); DROP TABLE students; --) 

… which would immediately delete all your students.

The “Good Code”, though, would simply insert a value of “‘Robert’); DROP TABLE students; —” into the “students” table. Not perfect, sure. But at least your database would be protected from end users being able to run SQL against your database!

Guess which type WebCenter Interaction uses? If you guessed the latter, you’d be right. And you can move on from claims of “SQL Injection Vulnerabilities” – there’s nothing to see here. Of course, there’s plenty to be seen elsewhere, but that’s another story!