I bet the developer that built the recognition feature for this application never thought he would have these type of security issues. Someone sent me this picture, which is a fantastic use of SQL Injection that I had never thought of.
As I read about more and more OCR and translation services being used on data, especially pictures and audio data, and who knows what else, I think there are all sorts of new security issues we will have to be aware of. Even in places that you might not expect, perhaps inside of bar codes or other types of encoding mechanisms, there could be SQL injection techniques in play.
Can you imagine
SQL injection commands being embedded in something like an RFID chip? I really hope that people building all those credit card reading machines have architected their applications to prevent injection techniques from being used.
The world of application development is expanding constantly, as cheaper computing devices become more pervasive. And with great connectivity being available, it's likely that our transactional databases are becoming more and more exposed to new security threats. As DBAs we need to be aware of issues and ensure we are informing developers of potential threats that can be exploited.
Even if you are not exposing your database today to external systems or connections, who knows if they'll be exposed in the future as someone seeks to expand their business opportunities. Practice safe computing, and ensure every developer understands what SQL Injection is.
Steve Jones
The Voice of the DBA Podcasts
The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there.
You can also follow Steve Jones on Twitter:
or now on iTunes!
- Windows Media Podcast - 20.3MB WMV
- iPod Video Podcast - 15.6MB MP4
- MP3 Audio Podcast - 3.6MB MP3
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
