Code issue affects 40% of websites
- Posted:
- 15:42 12 Jan 2004
- Topics:
- Databases
Richard Brain, technical director at security specialist Procheckup, said the problem, known as SQL Injection, came about because users were not making adequate checks on web-based data entry forms.
Websites usually connect to back-end databases - whether Oracle, DB/2 or Microsoft SQL Server - using code written as a Java Server Page or Active Server Page. The code's purpose is to check the data input and pass it from the web server to the database server.
However, if an end-user enters an apostrophe or a semi-colon in a web form, these characters can be interpreted as a "line-break" command in the SQL language.
ADVERTISEMENT
Following an apostrophe or a semi-colon, an intruder could type in any valid SQL command and gain full access to the database.
Brain urged users to ensure their JSP and ASP code was able to handle the apostrophe and semi-colon characters purely as plain text, rather than as SQL commands. He suggested users modify their ASP and JSP code to filter all user input.
Brain also suggested that users should build custom web pages to handle errors prod-uced by the back-end database server. This would avoid giving hackers important information about the back-end systems, which could then be used to launch an attack.