Comment by emerongi
2 years ago
Back in ye olden days, almost every answer involving a database contained a SQL injection vulnerability.
2 years ago
Back in ye olden days, almost every answer involving a database contained a SQL injection vulnerability.
To their credit, a lot of people went back a decade later and fixed those. Although it doesn't stop people from repeating the mistakes.
I just got beaten up in HN for asking how the hell sql injection is still a problem. People get defensive, apparently.
Sounds about right.
Not even a few years ago I worked with people who insisted it was ok to write injection unsafe code if you knew for sure that you owned the injected values. Didn't matter that maybe one day that function would change to accept user-supplied data, that's not their problem! It was a Rails app and they were literally arguing wanting to do:
over:
in those certain situations. So, you know, it takes all kinds, I guess.
This is a case of militancy.
If we're talking about a typed integer there is no chance of that turning into an sql injection attack.
If we're talking about a string, I'd probably insist on parameterizing it even if we completely own it just on the off chance that the future changes.
To draw an analogy, gun safety is important and everyone knows it. But I don't practice gun safety while watching television on my couch because the gun is locked away. I practice gun safety when I'm actually handling the thing that is dangerous.
And yes, I realize it being locked away is technically gun safety, it's an imperfect analogy, please roll with it.
7 replies →
I think I agree with your coworkers. If the data is predefined constants, then you don't need to worry about injection. All functions have preconditions which must be met for them to work. As long as that's specified, that's acceptable.
Imagine the internals of a database. An outer layer verifies some data is safe, and then all other functions assume it's safe.
The example you're sharing is a bit of straw man. It's just as easy to use the parameter, so of course that's the right thing. But interpolating a table name into the string from a constant isn't wrong.
9 replies →
> I just got beaten up in HN for asking how the hell sql injection is still a problem.
It's possible for developers to think they're actually doing the right thing, but it turns out they're not.
https://www.npmjs.com/package/mysql#escaping-query-values
> This looks similar to prepared statements in MySQL, however it really just uses the same connection.escape() method internally.
And depending on how the MySQL server is configured, connection.escape() can be bypassed.
Yeah, the Nodejs ecosystem is sketchy in this regard. I've never put a Node-mysql site into production. Basically everything I write that runs DB queries is in PHP with PDO. But I got interested in Node for side projects and spotted this escaping flaw in node-mysql. That npm package also has two escaping modes, one which it calls "emulated" and which is probably less trustworthy. It doesn't seem like it was ever ready for primetime. I don't know if node-mysql2 addresses that... I ended up writing a promise wrapper for the original one that also turns everything into prepared statements. You still need to make sure NO_BACKSLASH_ESCAPES is off, although I have no idea why you'd ever turn it on.
So yeah, I'm coming from a PHP mindset where you can generally trust your engine to bind and escape values. My experience with Nodejs in this particular area caused me to write a lot of excess code (mostly to satisfy my own curiosity) and still convinced me not to trust it for the purpose.
In that light, I can understand how someone who jumped into the Nodejs ecosystem would think they were dealing with reliably safe escaping, and didn't realize what they were actually getting if they didn't read the fine print.
Hi! Sorry to report this, but I've pushed a SQL injection vuln to prod when I was still very green.
In my defense, we trusted the input. But that's post-rationalisation, because I simply didn't know what I was doing at the time.
It gets worse. If I'd done it properly, my senior would have beaten me up in code review for "complexity". That was a man who would never use a screwdriver when a hammer was already in his hand.
I once argued with a senior dev (later engineering manager, I guess he is a director of development now somewhere), that storing password hashes in unsalted SHA1 was bad.
His defense? "This system is internal only and never connected to the internet"
Senior titled devs don't necessarily know their shit.
6 replies →
To be fair, I’ve pushed vulnerabilities to prod when considered a senior and with 10+ years of experience. Nobody is immune to their own stupidity and hubris.
People who don't understand things often get cranky when they're told it's easy. Seems fair though, it does seem rude to tell someone missing a leg it's easy to run... But it also seems rude to get upset at someone who's good at something they've studied so perhaps everyone is bad at understanding the person they're talking to, and people should assume more good faith.
That’s why I prefer to use “straightforward” rather than “easy.”
People seem to take that much better.
4 replies →
If you ever have an issue with the Requests library in Python, just try again with verify=false.
Easier than getting the app team to fix their TLS.
Or the corporate IT team to remove their TLS-trashing MITM attack (because their Firewall Vendor claims that's still "Best Practice" in 2023 and/or the C-Suite loves employee surveillance).
Just be sure to try running the program with sudo first, before trying shitty solutions like that.
That seems insecure; just chmod -R 777 /
At least node has a variable to disable checks globally.