Secure Thy Databases…

We have come a long way since a bunch of non-interactive pages written in plain HTML were considered to be a cool website. Today’s web sites more often than not are highly interactive, developed using sophisticated client and server side scripting code and with a relational database at the back storing and serving the data needed for website to work… blah blah blah… Well if you are reading this blog, I am sure you know all this theory. So, why I am writing this blog post? Two reasons:

4140461901_56d33e3737_b
  1. It’s been a long while since I posted last
  2. I found something which I wrote 4 years ago and I believe it’s worth sharing

Today, while going through my documents I came across a whitepaper which I wrote in Nov. 2007 titled “Dealing with Threats to Databases”. Yes, the title is same as that of my presentation at OWASP Australia in 2008. The slides for that talk can be found here.

So, If the paper was written in 2007 and presented in 2008, why am I am posting about it today i.e. in 2011.

Answer: The content of the paper is still valid and points raised are still applicable. If you don’t believe me, the proof can be found in the following links:

If you happen to check out these links, you will know that the vulnerability exploited in both the attacks is SQL injection. SQL Injection is not a new issue and has been around since last 8 to 10 years if not more. The application security evangelists have been preaching the countermeasures for the same since a long time as well. So why is the issue still there? I really don’t know the answer to this. May be the language used by the evangelists wasn’t clear enough or way of preaching/teaching/training wasn’t good enough.

So, here I am to explain the countermeasures to protect the databases once and for all. The next few posts (I promise to post the whole section within a week) will be focused on “Securing the databases”.

Just before ending this post I would like to give a “Mantra” to all the developers to avoid SQL injection. Repeat after me:

Writing dynamic queries is a sin. Parameterized queries will protect us from the wrath of SQLi.”

Writing dynamic queries is a sin. Parameterized queries will protect us from the wrath of SQLi.”

Writing dynamic queries is a sin. Parameterised queries will protect us from the wrath of SQLi.”

“Writing dynamic queries is a sin. Parameterised queries will protect us from the wrath of SQLi.

Make sure you remember this Mantra before coming to read the next post. See you all real soon and till then “ parameterized queries will protect us……

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 thoughts on “Secure Thy Databases…

  1. I just want to say I am just very new to blogging and actually enjoyed this web-site. Most likely I’m planning to bookmark your site . You really have outstanding stories. Cheers for sharing with us your webpage.

  2. xmtruB Very good written information. It will be helpful to everyone who employess it, including me. Keep up the good work – i will definitely read more posts.

  3. I simply want to mention I am just beginner to blogging and site-building and really savored your blog site. Almost certainly I’m going to bookmark your blog post . You absolutely have good articles and reviews. With thanks for sharing your blog.

  4. This is a topic which is close to my heart… Best wishes! Exactly where are your contact details though?

  5. After looking at a handful of the blog articles on your
    website, I truly like your way of blogging.
    I book-marked it to my bookmark webpage list and will be checking back soon. Please visit my web site too
    and tell me what you think.

  6. Have you ever thought about including a little bit more than just your articles?
    I mean, what you say is valuable and everything. But imagine if you added some great images or video clips to give your
    posts more, “pop”! Your content is excellent but with pics and
    video clips, this blog could definitely be one
    of the greatest in its field. Good blog!

  7. It’s perfect time to make some plans for the future and it is time to be happy. I have read this post and if I could I wish to suggest you some interesting things or advice. Perhaps you could write next articles referring to this article. I want to read more things about it!

  8. I have recently started a site, the info you provide on this web site has helped me greatly. Thank you for all of your time & work.

  9. Perhaps you have thought about writing an e-book or guest authoring on other blogs?
    We have your blog in relation to on a single topics you discuss and would love to get you share some stories/information.
    I know my readers would value your work. If you might
    be even remotely interested, go ahead and send me an e-mail.

  10. Wonderful blog! I discovered it while surfing
    around on Yahoo News. Do you possess any tips concerning how to get placed in Yahoo News?
    I’ve been trying for some time however i never appear to arrive!

    Thanks a lot

  11. I will immediately clutch your rss while i can’t to find your email subscription hyperlink
    or e-newsletter service. Do you’ve any? Kindly allow me recognise
    so as that I might just subscribe. Thanks.

  12. I’m really enjoying the design and layout of the site.
    It’s an incredibly easy around the eyes that makes it a lot more
    pleasant in my opinion to come here and visit more regularly.
    Do you hire out a developer to produce your theme?

    Superb work!

  13. Great article! That may be the type of information that
    are meant to be shared around the internet. Shame on the
    seek engines for now not positioning this post higher!

    Occur over and talk over with my website . Thanks =)