A few weeks ago, Bill Karwin did a must watch webinar on the prevention SQL Injection titled “SQL Injection Myths and Fallacies“.
Bill Karwin (twitter, new blog, old blog, Amazon) is famous for much work in the SQL database community, including InterBase/Firebird, mySQL, Oracle and many more.
He also:
- was product manager of InterBase (its screaming multi-generational database architecture – invented in the 80s by Jim Starkey, based on immutability now far more widespread and called MultiVersion Concurrency Control – still baffles many people)
- worked on Firebird
- is author of the book The Pragmatic Bookshelf | SQL Antipatterns: Avoiding the Pitfalls of Database Programmings, available on Amazon.
- is autohor of IBPerl
- is frequent answerer on many SQL related forums and QA sites, for instance Bill on StackOverflow
Anyway, his webinar is awesome. Be sure to get the slides, watch the replay, and read the questions follow up.
Watching it you’ll get a better understanding of defending against SQL injection.
A few very valuable points he made:
- Escaping is not the solution, and multiple levels of escaping only makes life harder
- SQL parameter objects aren’t always a solution for SQL injection as they can only be used for parameter values (and for instance not for table or column names, or for other SQL syntax like an ORDER BY direction)
- If you have to translate user input to SQL, then map it to safe SQL, not
- Database Firewalls aren’t 100% fool proof (generate false positives and false negatives)
- NoSQL doesn’t suffer from SQL-injection, but from NoSQL-injection
You’d think that many examples in PHP makes this only valuable for web applications.
Not!
I’ve seen so many native apps suffering from SQL injection, that this session is a “must watch” for any developer.
Non web-apps I have seen fail use technologies like .NET, Xcode, C++ and Delphi and a variety of platforms (Windows, Mac, mobile, you name it).
He will repeat this session during Percona Live at these dates:
- New York, October 1-2, 2012
- London, December 3-4, 2012
- Santa Clara, April 22-25, 2013
If you are nearby, try to get there, he is a very entertaining speaker!
–jeroen
via SQL Injection Myths and Fallacies.
Filed under: .NET, .NET 3.5, .NET 4.5, ASP.NET, Batch-Files, C#, C# 1.0, C# 2.0, C# 3.0, C# 4.0, C# 5.0, C++, Cloud Development, COBOL, CommandLine, Database Development, Delphi, Delphi for PHP, Delphi x64, Delphi XE2, Development, EF Entity Framework, F#, Firebird, FireMonkey, History, InterBase, iSeries, Java, JavaScript/ECMAScript, Jet OLE DB, LINQ, LLBLGen, MEF, Microsoft Surface, Mobile Development, PHP, PowerShell, PowerShell, Prism, Scripting, SharePoint, SilverLight, Software Development, SQL, SQL Server, SQL Server 2000, SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, SQL Server 7, VB.NET, VBS, Visual Studio 11, Visual Studio 2002, Visual Studio 2003, Visual Studio 2005, Visual Studio 2008, Visual Studio 2010, Visual Studio and tools, Web Development, Windows Azure, WinForms, WPF, XAML, xCode/Mac/iPad/iPhone/iOS/cocoa
