Website Security – SQL Injection
Website security and application security are becoming more problematic as time goes by. Just within the past month there was the United Airline hack scare, then it was confirmed that UCLA Health was hacked, and now the adulterous site Ashley Madison has been hacked (they really bragged about their security too).
Of course these were some big companies that the hackers wanted. This took planning, experience and team to do it. Since all the details are not released – I can’t comment on how the hackers got in. Even the few details that are released need to be taken with a grain of salt. The bottom line is that the website security was not as secure as they thought.
One common method of hacking through website security is SQL injection. This method is quite easy, common, and usually only takes place from poor security measures. What it does is it steals the data from the database via the website. For example, it can “inject” an SQL statement (code that talks to the database) from the log-in form or any input area that users would type information in. Although I won’t be discussing it in this article, there are many implementations of SQL injection and combinations with other methods to destroy a website security measure.
Firewalls and similar intrusion detection mechanisms provide almost no defense for website security against a full-scale SQL injection attack. The reason is because your website is public and you have already allowed traffic to communicate over your port. Since the website has open access to the database in order to receive and update information, it is open season for injection attacks if proper website security measures aren’t in place.
So why does SQL injection happen so often? The entire answer to this question still alludes me… I suppose from a combination of different reasons.
Businesses will often not want to spend a lot of money on something, especially if they do not understand it. As a result they get the cheapest product they can find. With a cheap website cost comes cheap website developers that are not properly educated and thus cheap website security is implemented.
Another reason is simply programmer laziness (which you see more often than not). I would say a third of my work is going behind other programmers from older/other companies and cleaning up the mess they left. These programmers, many of whom I have had repeated encounters with, could secure a website if they wanted to. But they chose not to have website security done because the client didn’t know the difference and they could shave hours.
Also to be mentioned is that times do change and methods that were once secure become outdated. I love using WordPress for clients who want a CMS (Content Management System). I absolutely hate the security holes in it. And you will read every so often about a breach and an update to WordPress being made shortly thereafter.
Regardless of the reasons the website security is breached, the fact remains that if there is an issue it needs fixed. Thankfully it usually isn’t a complicated process to patch and fix it up.