Ericka Chickowski posted an interview with the creators of the open source library AntiSQLi at Dark Reading. She is discussing a very interesting development tool, but the value proposition gets somewhat lost in the creators’ poor terminology.
First some background: there is no such thing as an ‘unparameterized’ database query. Every SQL query has at least 2 parameters: The contents of the SELECT
and WHERE
clauses. Without parameters in those two clauses the query fails in the parser and generates an error. No parameters, no query.
So SQLi is not really a problem of ‘unparameterized’ queries – it is a problem of unvalidated input values to parameters. SQLi is where we shove bad data into parameters – not a lack of parameters!
The AntiSQLi library is simple and clever: it works like an app-side stored procedure. And like a stored procedure it forces datas type on its input values. It essentially handles the casting operation to force type and length. AntiSQLi weeds out variables that don’t match the prescribed data type, and extra long variables in some cases. Obviously it cannot catch everything but it does filter out many common and crude SQLi attacks.
A better term would have been “un-cast query parameters”. Regardless of the terminology, though, I am happy to see innovation in this area. For years I have been recommending that developers build this functionality into their own reusable security libraries, but AntiSQLi is a quick and easy way to get started, and a nice tool to have in your toolbox.
Reader interactions
One Reply to “Casting out SQLi”
Thanks for reading the article! I’m glad you think the library will be useful. If we can reduce the occurrences of SQLi at all I’ll be very happy.
Regarding the terminology, we didn’t mean to be confusing. “Parameterized Queries” is a pretty common way of describing queries where each parameter has been defined by type vs. concatenated SQL queries.
For more information on SQLi Jeff Atwood from Coding Horror has a good blog post from a while ago here:
http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html
Of course OWASP has great resources as well here:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29
and here:
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
I’m glad you think AntiSQLi is a good library, I’d love to hear from anybody using it (both the good and the bad). And of course fork the project from github and send us some pull requests! I’d love to improve the codebase through community involvement.
Thanks,
Joe