As many as 40% of websites using back-end relational
databases are susceptible to a programming error that could enable
a hacker to take full control of the database.
Richard Brain, technical director at security specialist
Procheckup, said the problem, known as SQL Injection, came about
because users were not making adequate checks on web-based data
entry forms.
Websites usually connect to back-end databases - whether Oracle,
DB/2 or Microsoft SQL Server - using code written as a Java Server
Page or Active Server Page. The code's purpose is to check the data
input and pass it from the web server to the database server.
However, if an end-user enters an apostrophe or a semi-colon in a
web form, these characters can be interpreted as a "line-break"
command in the SQL language.
Following an apostrophe or a semi-colon, an intruder could type in
any valid SQL command and gain full access to the database.
Brain urged users to ensure their JSP and ASP code was able to
handle the apostrophe and semi-colon characters purely as plain
text, rather than as SQL commands. He suggested users modify their
ASP and JSP code to filter all user input.
Brain also suggested that users should build custom web pages to
handle errors prod-uced by the back-end database server. This would
avoid giving hackers important information about the back-end
systems, which could then be used to launch an attack.