SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

SQL Injection Everywhere

By Steve Jones,

I was doing the laundry the other day and thinking about SQL Injection. I have this fancy front load model that lets me load fabric softener and bleach into containers for release later, and it occurred to me that if my washing machine were connected to the Internet with some API, it's possible someone could SQL Inject or buffer overrun a string that might release a stream of bleach into my colors.

Not terribly dangerous, but it could be annoying, and it is exactly the type of hack some bored teenager would come up with. Then I started thinking about what else they might do. I wrote about the possibilities with cars recently, but what else could a hacker do in a connected world. What if someone could ignite my oven? Likely it wouldn't do much more than cost me money. Turning up my fridge might make a mess of food, but not dangerous. However what if someone could turn off the lights when they saw you start running down the stairs?  That could be dangerous.

What if they could remotely enable your sprinklers while you were at work. In some places that could result in a fine. Allowing that to happen a few times might get you arrested. Locking or unlocking your car doors (already a remote possibility) could endanger you. I'm sure there are more malicious possibilities I haven't thought of, and as we move to a more connected world, I worry we will discover them only when some crime has been committed.

I like the convenience of adding digital controls and remotes to more parts of our lives, but I do worry that we are doing so in a way that ignores security. Linking the convenience items of our lives to remote digital controls can be dangerous enough. Adding in more essential items, like heating, engines, etc., to the same control bus could be fatal.

SQL Injection will likely be around for a long time, and it will get used in many new ways as more and more aspects of our lives are digitized. All developers should be aware of how an injection attack occurs, and code to be sure that we don't allow any un-sanitized input into any of our databases, and that we also require separate authentication for the parts of a system that need more security.

Steve Jones

The Voice of the DBA Podcasts

Everyday Jones

The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there. Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

You can also follow Steve Jones on Twitter:

Total article views: 557 | Views in the last 30 days: 1
Related Articles


A new video setup is on the way!!!! Actually I'll do a couple podcasts on podcasting over the hol...



I'm working on getting a small studio set up for some podcasting of the editorials. That means I put...


Real Time Dangers

Steve Jones notes that our expert systems might not handle every situation well, and the quest to mo...


SQL Injection question

fat client injection


SQL Injection!

Do your developers really understand how to prevent injection attacks? Or scarier still, how many kn...

sql injection