I was first exposed to SQL injection when David Litchfield (see his blog) came and gave a talk on the subject while I was working at the NSA in the summer of 2002. SQL injection is a type of security vulnerability that occurs when some code includes untrusted input, such as a website form field, in a SQL database query without first escaping or removing special characters that may affect SQL syntax (‘, ”, \, etc.). This may subsequently allow an attacker to terminate the original query and inject another query to do something malicious, such as the following: “”; DROP TABLE users;”. After hearing about SQL injection, my friends and I proceeded to go home and type “‘”; select * from users;” into form fields on numerous websites. Though we didn’t see any database table dumps, a surprisingly large number of sites gave us responses with SQL syntax errors, indicating potential vulnerabilities.

Things have changed a lot since the advent of SQL injection attacks. Many security researchers have investigated the topic and written papers on how to correct the problem. As the title of this blog post suggests, however, the SQL injection problem has been solved. Sometimes it makes sense for people to continue researching a problem when existing solutions have serious usability constraints or add significant development overhead. That is not the case for SQL injection. The rest of this article briefly touches on some SQL injection research and then shows you how to avoid vulnerabilities on your website using a common PHP library as an example.

(more…)