mailing list archives
Re: why most sql injection is not occurred at mysql?
From: Francois Larouche <francois.larouche-ml () sqlpowerinjector com>
Date: Tue, 23 Oct 2007 10:14:17 -0700
Funny you mention this because in my experience I found more sql
injections in mysql websites. But as you mention it's not related to the
database but how it has been implemented inside the web application
or/and inside the stored proc.
As for MySQL, since there were no stored proc before version 5.0 it
removes that threat inside the stored proc in the older versions.
However, the thing is, most of developers rely on the magic quotes
function that might seem to reduce the problem in MySQL but is still
there when an integer parameter is used. The bottom line is they might
just be harder to find or require more energy to find them.
Here what I noticed with experience, depending of the languages used for
the web development the chances were higher to get SQL injection if it
was ASP, PHP or Perl. Why? Because the learning curve for those
languages is small and unfortunately most of the examples used for
database interaction (SELECT, UPDATE, etc...) in books and websites use
string concatenation for simplicity and space limitation. Also, PHP
didn't have any system of prepared statement until (relatively)
recently, so by design there was blind sql injection.
Now, if you ask me if in general a SQL injection is more dangerous in
MS-SQL or Oracle than MySQL. I'll say most definitely. MS-SQL and Oracle
are closer to the OS and have more powerful stored procs. But again,
MySQL has enough harmful functions to create as much damage than any
other DBMS and it takes only one good vulnerability to own the system...
My 2 cents,
A I know, sql injection itself has not relation with DataBase.
Surely I have seen sql injection is occurred at mysql.
but in my short experience, most sql injection is occurred at ms-sql or oracle based not mysql.
I don't know why.
Thanks for your help in advance.
나의 글로벌 인맥, Windows Live Space!