Thursday, September 10, 2009

How Big of a Problem is SQL Injection?

From NetSecurity.org:



Exactly how big of a problem is SQL injection? Can you provide a rough picture to our readers not familiar with the issue?




SQL injection is a HUGE problem.



It is both fairly common, as well as having the potential to be a huge risk to a business either directly or indirectly.



A good example of the risk of SQL Injection is the recent revelation that SQL injection was a key part in a number of the recent large credit card data breaches - Heartland, Hannaford, TJX and others.



In these cases, SQL injection was used in order to get further into an organization and do something else, however in a lot of cases SQL injection can be serious enough all on its own.



I've seen examples such as a small US bank that had over 5,000 mortgage applications stolen from an application via SQL Injection, and hence all of the information needed to steal all of those people's identities.



For those not familiar with SQL injection, it occurs when unvalidated user input is included within Structured Query Language (SQL) statements that are dynamically assembled within the application. For example, say the application is assembling a query for product information with a “productid” variable supplied by the user with a query something like this:



string query = "SELECT * from products WHERE productid =" + productid



Read in it's entirety at NetSecurity.org

Disqus for ePayment News