I have recently come across what I believe to be a serious flaw in the security of a 3rd party computer program used within my company. Apologies for deliberately keeping details vague, but I hope you understand!
When entering items into the database, one cannot enter a single apostrophe into the name field - users have typically resorted to using '' instead. I hence discovered this problem when attempting to parse CSV output from an export run by this program, when the value delimiting broke the parser I was using.
I spoke to the support team responsible for this 3rd party piece of software, questioning whether this was an attempt to avoid SQL injection, who confirmed that the reason for this was to "to avoid issues in SQL". Whilst this is an internal use only system, I cannot help but feel that
This is horrendous coding practice - simply using prepared statements instead would instantly resolve this issue (as well as allowing single apostrophes in CSV exports and preventing a lot of hack-y workarounds as a result).
There has to be some way that one can arbitrarily execute SQL without using a ' on it's own. I.e.
''or'''is fine, just'is not.
I raised this with my manager as soon as I discovered it (and jumped to the SQL injection conclusion), but before I really start to escalate things I would like some confirmation that it is the security hole I believe it to be (in addition to just awful coding practice).
If someone can confirm that my suspicions that would be great, and if you can come up with an example of malicious SQL code not using an isolated ', I would greatly appreciate it.
Aucun commentaire:
Enregistrer un commentaire