× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2004

RE: SQL Injection - security risk or bad programming?

> From: Walden H. Leverich III
> 
> the problem of SQL Injection exists regardless of the
> authentication method used or even the existence of
> authentication.

Only in poorly written code.


> To say that the problem is due to "really bad ASP programming" is
> just inflammatory.

> There's nothing in this issue that's Microsoft's
> fault, don't pin it there.

Walden, I went out of my way to be non-inflammatory, but since you think
I wasn't trying hard enough, let me expand on my point and remind of
what it looks like when I do voice my opinion <grin>.

Whether you want to admit it or not, this is really bad ASP programming,
particularly the bit about the "--" hack in the SQL statement, which to
my knowledge doesn't work on any other platform.  And while a version of
this technique can probably be used in a really crappy JDBC statement,
the truth is that most good Java programmers don't do that sort of stuff
anymore, especially since JDBC 2.  In fact, I have an entire lab
available at Rochester Initiative on using JDBC 2 properly.

But here's the part where I really blame Microsoft:

The statement "many programmers don't use them" is in reference to
prepared statements but could just as well include any good programming
techniques.  A lot of commercial programming today stinks, and it is
mostly a matter of bad training and bad management.  Any programmer who
uses obviously flawed programming techniques needs more training, any
manager who allows them to be used in production software should be
fired.  If we stopped making excuses for bad programming and returned to
an environment where quality was both expected and required then we
wouldn't have most of these hacks.

For example, all buffer overrun hacks are a direct result of a REALLY
BAD PROGRAMMING TECHNIQUE.  In fact, it's the same bad programming
technique: not checking for the end of the buffer (D'oh!).  But since
this level of quality is accepted in the software that comes out of
Redmond, it is now pervasive in the computing community.

Maybe it's not Microsoft's fault in this particular case, but the
atmosphere of poor quality programming I lay squarely at the feet of the
folks in Redmond.  By putting out code using lazy and sloppy techniques,
Microsoft invented the email virus.  By refusing to fix it except with
more hacks upon hacks, they extend the life of the concept.  Or more
precisely, they continue to provide the host where these things could
thrive.

If you think your network as a human body, Windows is the HIV of desktop
computing.  And it's bad enough that it's on your desktop; it's even
scarier when it's considered for mission critical business operations.

There, NOW you can accuse me of being inflammatory <smile>.
 
Joe

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.