Monday, August 9, 2010

Quiz #1 Answers - SQLi

OK, here are the answers...let me know how you did!

Q1. Parameterized queries are 100% effective against SQL Injection. True or False.

TRUE! SQLi is a PARSING issue, and using a parameterized query does not allow you to parse additional commands among your intended one.


Q2. If you can't do parameterized queries, then you can do stored procedures in the database. They offer you the same level of protection. True or False.

FALSE! Though I recommend stored procedures to avoid mistakes on the business and data layer of .NET code, among other reasons, it is no guarantee the DBA coded the stored proc to use query parameters. He/she could still be concatenating the parameters as strings into a SQL command...ouch.


Q3. Neither is perfect, but which is better for validation: black-listing or white-listing?

White-listing is better because you know what you want and can check for that, discarding anything else no matter how tricky the hackers try to get. If you black-list, you run a huge risk of missing tomorrow's new attacks, or of canonicalization errors where the hacker encodes the attack one layer deeper than where you look. Don't chase hackers, trying to learn their latest tricks...know your holes and plug them.


Q4. If you thoroughly validate your input then you should be fine. True or False.

FALSE! Most validation is done client-side. And with javascript. Turn that off and see how your web page reacts. Even with good server-side validation, you have to accept strings sometimes...and those can be used to nail you with SQLi. That being said, you do make huge strides when you validate thoroughly...always do it! Makes your job of stopping them so much easier. It just isn't enough on its own to stop them, so don't rely on your best efforts as a "be all end all" sort of thing.


Q5. Removing single-quotes from input data is an effective means of preventing SQLi. True or False.

FALSE! Well, true, but false. Getting rid of single quotes is one part of defense in depth. It will stop them from ending a string and putting a new command after it. Sure. But the hacker can encode it to hide it...are you checking for that? It can be part of a last name like O' you let that through? Like other validation methods, it isn't enough to scrub out single quotes and sleep well at night.


Q6. SQLi defense is like chasing a wind: by the time you figure out what to do it shifts and you have to do something else to protect your apps. True or False.

BIG FALSE! Go back to Q1. Make your queries parameterized. Done. It isn't hard. Like I said earlier, don't chase the wind...don't keep up on every hacker trick so you can be prepared for them. Instead know your holes and plug 'em. Analogy -- don't stay on top of what tools people are using to break into houses through windows. Instead, put bars on your windows, lock them, etc. Know what the holes are and plug them, rather than finding out what tools are being used and trying to thwart each of them.

SQL Injection is TOTALLY preventable. And it is YOUR responsibility to code for that. If you didn't get all the above correct, you are not alone. Just dig in more at sites like and read up on SQL how to do parameterized queries on MSDN...etc. You can do this!

No comments:

Post a Comment