User: Password:
Subscribe / Log in / New account

Guess work?

Guess work?

Posted Mar 31, 2006 6:39 UTC (Fri) by hppnq (guest, #14462)
In reply to: Guess work? by GreyWizard
Parent article: SQL injection attacks

Basically, you are suggesting that in order to kill a fly, you should use a proper gun, practice at a firing range, isolate the fly in a safe environment, surgically optimize your eye-hand coordination, calculate environmental influences, suppress urges to start shooting at random, before taking a shot at removing the annoying intruder.

Sure, if a gun is my only tool, I'd go through all that. But I'd rather whack the bastard with a newspaper.

(Log in to post comments)


Posted Mar 31, 2006 15:07 UTC (Fri) by GreyWizard (guest, #1026) [Link]

That is a perfectly ridiculous analogy. Whining that the database has too many features that might be useful for someone exploiting SQL injection vulnerabilities in an unrelated application is not so much swatting the fly as cursing the publisher for printing a newspaper that's too hard to swing while the thing is still buzzing around your head.


Posted Mar 31, 2006 15:36 UTC (Fri) by hppnq (guest, #14462) [Link]

So what are you suggesting then? That we should all write perfect code? Yes, that would solve the problem. Is it realistic? Not a chance in hell.

Most or all security implementations heavily depend on defining proper interfaces to resources and making sure that access to resources is only possible through these interfaces.

It follows quite simply that it's wise to start off with as little resources and interfaces as possible if you care about security.


Posted Mar 31, 2006 22:17 UTC (Fri) by GreyWizard (guest, #1026) [Link]

Contrary to your raving, filtering user input does not require perfect code. I suggest reading the article to which this thread is attached. There you will find suggestions such as using prepared statements or stored procedures. As stated above, "SQL injections [...] can be thwarted relatively easily once one understands the problem and the ways to program around it." On the other hand, no database can provide protection from gaping security holes in external applications.


Posted Apr 1, 2006 8:53 UTC (Sat) by hppnq (guest, #14462) [Link]

It seems to me that we are making a lot of fuss about something that we basically feel the same about. If you take the time to calm down and read the comments as well as the article you might see this too.

Now, you were the one that brought up the topics of sloppy programming and "security through obscurity", taking this discussion explicitly to the realm of the real world, where the perfect solution does not exist. You observed that database features are no excuse for bad programming, while I am of the opinion that they should not be an excuse.

In the real world resources are limited. At some point a decision will have to be made: is it good enough? Since security means nothing in the laboratory, and everything in the real world, this is a very important observation. This is also why I mention writing perfect code: it cannot be done, and the only way to avoid having to make suboptimal decisions is to remove the necessity of making those decisions. This is a classic trade-off between security and functionality.

Instead of having to protect features one does not need, it is better to not have them available in the first place. That of course leaves more resources available to get the actual job done: defining the correct interfaces to the functionality you want to provide or use and protecting those interfaces properly.

On the other hand, no database can provide protection from gaping security holes in external applications.

This is the same problem. Do take some time to think about it.

Practice What You Preach

Posted Apr 3, 2006 15:50 UTC (Mon) by GreyWizard (guest, #1026) [Link]

You reply to a comment about security through obscurity with an irrelevant analogy to shooting mosquitoes, and now you accuse me of not reading what I reply to? You rant and rave about the impossibility of perfect code, and now you tell me to calm down? Amusing. But your airy hand waving about "protecting features one doesn't need" still misses the point: using the dumbest database available would be a trade-off between security and functionality only if this were an effective substitute for plugging SQL injection holes in the application. As long as there are remote exploits the application cannot meet even the least demanding security requirements with any database.

This is really not so complicated. Practice what you preach, especially with regard to taking the time to think about it.

Practice What You Preach

Posted Apr 3, 2006 22:19 UTC (Mon) by hppnq (guest, #14462) [Link]

Well, I just tried to add some more perspective to your rather simplistic "thou shalt not program sloppily" statement. It appears to me that in your enthusiasm to slight me, you seem to miss your own point completely.


Perspective Indeed

Posted Apr 4, 2006 2:58 UTC (Tue) by GreyWizard (guest, #1026) [Link]

You are confused. "Database features do not excuse sloppy applications" is simple. "Thou shalt not program sloppily" is simplistic. The latter is your contribution, not mine. Rambling about mosquitoes, whining about perfect code, splitting hairs over "are" and "should" and pretending I don't understand my own point is your idea of adding perspective, is it? Spare me such generosity.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds