Chapter 12: Database Input Issues

Chapter 12

Database Input Issues

Many applications, especially Web-based applications, store persistent data in databases. In fact, so many Web-based applications and XML Web services use databases that it's difficult to talk about one without discussing the other. Therefore, in this chapter I'll discuss database issues primarily with regard to database Web applications. (Chapter 13, Web-Specific Input Issues, will focus on pure Web security issues that have nothing to do with databases but plenty to do with trusting input!) And I'll focus on one core subject input trust issues that lead to SQL injection attacks but before I do, I need to tell you a story.

In November 2001, I presented two papers at the Microsoft Professional Developer's Conference in Los Angeles. The second paper related to trust issues in general and database and Web input issues specifically. It was great to see a large audience in the auditorium as I entered 15 minutes prior to the start of the presentation. By the time I got started it was standing room only; in fact, people were in the hallway listening until the fire marshal came by and asked them to move along, but that's a story I'll save for another day. After I had discussed SQL injection attacks for about 30 minutes, a person in the front row left the auditorium, only to return ten minutes later. At the end of the presentation, the person came up to me to say that he worked for a large East Coast insurance company and had phoned his database development team to tell them to fix their code. He did not realize that such attacks existed, but he quickly realized that his company's databases were vulnerable to attack.

This story has an interesting lesson: many people do not realize their databases can be attacked by simply malforming the input used to query databases. In this chapter, I'll outline the security issues and how databases can be attacked through seemingly innocuous input, and then I'll wrap it up with remedies.