The threat of SQL injection has appeared prominently in the news recently:
- An SQL injection vulnerability resulted in an urgent June bugfix release of Ruby on Rails 3.x. Make sure you upgrade if you use Rails 3.0, 3.1, or 3.2! Also you should disable mass assignment in any Rails project.
- Yahoo! Voices was hacked in July. The attack acquired 453,000 user email addresses and passwords. The perpetrators claimed to have used union-based SQL injection to break in.
- LinkedIn.com leaked 6.5 million user credentials in June. A class action lawsuit alleges that the attack was accomplished with SQL injection.
SQL injection was documented as a security threat in 1998, but new incidents still occur every month. Making honest mistakes, developers fail to defend against this means of attack, and the security of online data is at risk for all of us because of it.
Most computer professionals have heard of SQL injection, but advice about how to prevent this issue is generally incomplete and oversimplified.
On July 25 2012, I will present SQL Injection Myths and Fallacies as a Percona webinar, to help shed light on the nature of the problem, and effective defenses against it. Whether you’re a software developer who uses databases, or a DBA who is responsible for secure operations, I hope you register for this webinar and join me as an evangelist for secure web programming.
Your online information is at risk too!