Code issue affects 40% of websites

News

Code issue affects 40% of websites

Cliff Saran
As many as 40% of websites using back-end relational databases are susceptible to a programming error that could enable a hacker to take full control of the database.

Richard Brain, technical director at security specialist Procheckup, said the problem, known as SQL Injection, came about because users were not making adequate checks on web-based data entry forms.

Websites usually connect to back-end databases - whether Oracle, DB/2 or Microsoft SQL Server - using code written as a Java Server Page or Active Server Page. The code's purpose is to check the data input and pass it from the web server to the database server.

However, if an end-user enters an apostrophe or a semi-colon in a web form, these characters can be interpreted as a "line-break" command in the SQL language.

Following an apostrophe or a semi-colon, an intruder could type in any valid SQL command and gain full access to the database.

Brain urged users to ensure their JSP and ASP code was able to handle the apostrophe and semi-colon characters purely as plain text, rather than as SQL commands. He suggested users modify their ASP and JSP code to filter all user input.

Brain also suggested that users should build custom web pages to handle errors prod-uced by the back-end database server. This would avoid giving hackers important information about the back-end systems, which could then be used to launch an attack.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.
 

COMMENTS powered by Disqus  //  Commenting policy