How freaking hard is it to understand that you don't freaking build sql with string concatenation. Use a prepared statement. Is this concept really hard to understand? It's a simple way of preventing an attack by writing safe code.
It's not like this is a java specific attack. Sanitize inputs and don't be a shit head. If you get burned, it will be no one's fault but your own.
Frick.
Can you really blame them though? I do place a lot of the onus on the developer. But when 99% of the tutorials on the web actually show building of queries by string concatenation, or at best, mysql_real_escape_string_we_mean_it_this_time(), is it any wonder that developers don't have good practices. I think the main problem is that most tutorials are written by beginner developers who want to get their name out on the web, and make it look like they are more knowledgeable than they really are. Meanwhile the really knowledgeable developers are writing about more complex topics, or are actually writing real books. I think the developers are ultimately to blame, but there seems to be a lot of really bad resources out there. A problem which is not so easy to fix.
ReplyDeleteAnyway, just be happy you don't work with people who put actual queries directly in the URL.
ReplyDeletehttp://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx
Yes, I can blame them. Tutorials are great for getting up to speed on something, but developers who code for a living should be able to learn basic safety techniques.
ReplyDeleteI'm always glad that nothing I've seen is bad enough to up on the daily wtf... those stories are insane.