Joel Spolsky errors about SQL injection

Posted At : November 1, 2006 9:30 AM
Related Categories: Microsoft,Technology,ColdFusion

Today Joel Spolsky mentioned SQL injection on his blog, and stated that if you are in the practice of directly dumping strings from user input into your DB, it would be easy to hack your DB if you close the string, insert a semi-colon and create a second SQL statement like so:

foo'; delete * from accounts
Just enter the above 'code' into the form and you've manually deleted the contents of their accounts table, right (assuming they have a table named 'accounts')? Only if you're using Microsoft SQL Server. SQL Server allows you to send multiple commands from an outside source. This is VERY insecure, for the above reason.

In Joel's example, the error message he got shows that the site he is referencing is powered by MySQL. I have dealt with Oracle and DB2 and I know those DBs don't allow multiple sql statements in one 'session' from an external source (session means one cfquery tag in this case). I'm assuming that MySQL won't allow this either (someone please correct me if I'm wrong). Update: I just tested this, thanks to a comment left by Jacek, and MySQL will not allow multiple SQL statements from one cfquery tag.

We in the ColdFusion community know that you should always CFQueryParam your variables in queries. Not only is this safer (it would stop the above attack), but it usually makes your queries quicker. This is because ColdFusion will create a "Prepared Statement", which is a fancy way of saying it will pre-compile the query. Then the DB just runs it without compilation. That said, Microsoft assumes that the developer is always going to use things like CFQueryParam in their code. Oracle and IBM, on the other hand, try not to let the developer make mistakes like this.

Comments (7) | Print | del.icio.us | Digg It! | Linking Blogs | 5799 Views

Related Blog Entries

Comments
[Add Comment]
you're wrong. MySQL allows multiple sql statements (at least versions 3 and 4 did, I haven't tested it with v5 yet).
# Posted By Jacek | 11/1/06 4:25 PM
Well, I just tested, and you're wrong Jacek, at least with MySQL v. 5. Or maybe we're talking about different things? I'm talking about multiple queries in one cfquery tag, like so:

<cfquery name="users" datasource="#myDSN#">
   select * from users;
   select * from users
</cfquery>

This returns this error: "You have an error in your SQL syntax...near '; select * from users' at line..."

Just like with DB2, If you try to put a semicolon in with the intention of executing more than one SQL query from one cfquery tag, you'll get an error. Actually, in DB2 it's more secure than this, because the DB tries to execute the first statement and silently ignores the second one.
# Posted By yacoubean | 11/1/06 4:46 PM
why do you assume everyone else is using coldfusion? Joel's example was about PHP. I don't know CF, maybe it limits the ability to do multiple queries, but MySQL 5 itself does not (yeah, just tested it with v5).
# Posted By Jacek | 11/2/06 2:39 AM
Jacek,

I /know/ the limitation is not in ColdFusion, because a lot of programmers like to do multiple queries in SQL Server, like to get the primary key that was just generated from an insert.

I'm curious how you were able to get MySQL 5 to run multiple queries and I was not. Are you just running a bunch of queries in your query tool? Because I know that works, that's a completely different subject. I'm talking about multiple queries from the outside. Also, it probably depends on the connection you're using. If you're connecting to MySQL ODBC, it probably allows it. I prefer to use the official JDBC driver from MySQL.
# Posted By yacoubean | 11/2/06 5:00 AM
it should also be noted that the semicolon separation is database specific. I know MSAccess has this, but MSSQL does not.
# Posted By Tony Petruzzi | 11/2/06 10:56 AM
Tony, that's not true either. MSSQL does support it. I ran this on MSSQL 2000 from ColdFusion, and it worked:

<cfquery name="test" datasource="#myDSN#">
   select * from testjake;
   delete from testjake
</cfquery>

Before running the above CF code, testJake had 199 rows. After, the table was empty.

This is exactly what Joel Spolsky was talking about in his blog post, but like I said, it doesn't work in the major non-Microsoft databases.
# Posted By yacoubean | 11/2/06 12:51 PM
The JDBC layer in ColdFusion prevents multiple statements in a single CFQUERY. Can be overridden using allowMultiQueries in the connection string.
# Posted By Per | 11/2/06 10:24 PM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.9. Contact Blog Owner