There are still professional security auditors who say “Use stored procedures to make your database secure!”
One time I showed an auditor a stored procedure:
EXEC CONCAT(@param1, @param2)
(For those who don’t know: that is an obvious SQL injection vulnerability. For those that do know sorry about the massive cringe)
His response? “What the hell is that I don’t know SQL”
It's the people coding their own websites and not sanitizing their inputs or whatever. So hackers do shenanigans with the form submissions or whatever and get the server-side code to do a malicious sql query for them.
I seem to remember there was a way to literally inject SQL itself. It involved putting an SLQ comment (--) and then a malicious query, and then SQL itself would execute the comment, commenting out the developer's query and executing yours.
I was under the impression SQL injection wasnt really doable in most modern versions of SQL.
SQL injection is very much alive. It has nothing to do with how modern an SQL server is. People still query it in insecure ways.
There are still professional security auditors who say “Use stored procedures to make your database secure!”
One time I showed an auditor a stored procedure:
EXEC CONCAT(@param1, @param2)
(For those who don’t know: that is an obvious SQL injection vulnerability. For those that do know sorry about the massive cringe) His response? “What the hell is that I don’t know SQL”
It's the people coding their own websites and not sanitizing their inputs or whatever. So hackers do shenanigans with the form submissions or whatever and get the server-side code to do a malicious sql query for them.
I think i was conflating SQL injection with a different SQL vulnerability that used to exist but was removed in more modern versions some time ago.
I seem to remember there was a way to literally inject SQL itself. It involved putting an SLQ comment (--) and then a malicious query, and then SQL itself would execute the comment, commenting out the developer's query and executing yours.
It's not typically the SQL that's the problem but the way its used. I'd bet it's not the issue here but it's not out of the question.
Well, I guess I was wrong. SQL injection it is.