Code issue affects 40% of websites

News

Code issue affects 40% of websites

Cliff Saran
As many as 40% of websites using back-end relational databases are susceptible to a programming error that could enable a hacker to take full control of the database.

Richard Brain, technical director at security specialist Procheckup, said the problem, known as SQL Injection, came about because users were not making adequate checks on web-based data entry forms.

Websites usually connect to back-end databases - whether Oracle, DB/2 or Microsoft SQL Server - using code written as a Java Server Page or Active Server Page. The code's purpose is to check the data input and pass it from the web server to the database server.

However, if an end-user enters an apostrophe or a semi-colon in a web form, these characters can be interpreted as a "line-break" command in the SQL language.

Following an apostrophe or a semi-colon, an intruder could type in any valid SQL command and gain full access to the database.

Brain urged users to ensure their JSP and ASP code was able to handle the apostrophe and semi-colon characters purely as plain text, rather than as SQL commands. He suggested users modify their ASP and JSP code to filter all user input.

Brain also suggested that users should build custom web pages to handle errors prod-uced by the back-end database server. This would avoid giving hackers important information about the back-end systems, which could then be used to launch an attack.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy