Hacker News new | past | comments | ask | show | jobs | submit login

Look up gell-mann amnesia effect. The article doesn’t know much about OWASP practices.

SQL injection bugs are not rookie mistakes, it’s prevalent in many current and future applications. Look into Vtech sql injection hack, a large company with lots of resources had similar bug.

Look at previous hacks, solar winds hack, Sony hack, were all preventable common hacks.




A mistake can be both "rookie" and widely prevalent. That's exactly how I'd describe SQL injection.


Go ahead and try to implement a fix to sql injection bug in any of your systems. I can guarantee there’s a sql injection issue somewhere.

The reason it’s so prevalent is because it’s not a rookie issue and very difficult to fix properly, without impacting significant changes.

That’s why OWASP has it as huge part of security analysis and resolution.


> I can guarantee there’s a sql injection issue somewhere.

This class of sql injection issues can be eliminated by simply enforcing that all queries are string literals.


I'd amend to this "... or composed of local string literals". Programmatically-generated SQL can be advantageous in terms of maintenance, readability and even performance, depending on the situation.


Concur. Adding parameters to a query is what a "bind" is for.


> The reason it’s so prevalent is because it’s not a rookie issue and very difficult to fix properly, without impacting significant changes.

Neither of these claims is true. Placeholders have been the recommended way to do this since the 1990s (I remember having this same talk with Perl & PHP 3 newbies) and one of the points of using a framework like Rails is that these are much easier to avoid if you use an ORM. The problem in this case is that they found a problem they (probably incorrectly) believed couldn’t be expressed in the ORM _and_ ignored the placeholder support _and_ didn’t validate their inputs. None of those require advanced experience to fix and at least the latter two are trivial to implement.


You would be amazed at the number of "developers" that have no idea what an SQL injection is when I ask them as part of my Full Stack developer interview.


> SQL injection bugs are not rookie mistakes

SQL injection bugs of this fairly trivial type are. This is literally what web tutorials were pleading with PHP developers not to do 20 years ago, and they weren't new then.


It's a failure of tooling. The library, or the compiler, should stop you from interpolating stuff into SQL strings. We've already seen things like this keep happening over and over until it's made impossible.

The whole situation is similar to having a construction scaffolding without safety railings, and calling someone falling off it a rookie mistake.


> a large company with lots of resources had similar bug.

Large companies are even more likely to run into this sort of issue.

It's still a rookie mistake. Any given well established company will contain a large number of 'rookies'. It's up to the company and everyone involved to make sure these are caught before going into production.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: