-1

Does make sense to check on malicious SQL input from an authenticated user?

Chi
  • 1
  • 1
  • 1
    Accounts can be hacked etc. – jarlh Jan 04 '22 at 11:58
  • Does this answer your question? [How does the SQL injection from the "Bobby Tables" XKCD comic work?](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work) – Elikill58 Jan 04 '22 at 13:33
  • 1
    Why you're trying to bargain? What's the point in having two sets of queries? Isn't it simpler to process all queries the same (protected) way? – Your Common Sense Jan 16 '22 at 10:12
  • What is malicious SQL input? Isn't any input potentially malicious if you have SQL injection bug? – Dharman Jan 17 '22 at 12:24

2 Answers2

3

An authenticated user can inject queries that bypasses his security settings if such a query doesn't enforce security checks on fields/objects. Also if a class is defined as without sharing, a simple where clause addition such as OR id != null into the query can fetch records that he should not be having access to such as salary statements of his colleagues!!

So in conclusion, all queries must be checked for sql injection.

debugger
  • 56
  • 3
2

Many SQL injection vulnerabilities are not malicious attacks, and won't result in damage. They just result in unnecessary errors that confuse your users and spoil your application's features.

SELECT * FROM Users WHERE last_name = 'O'Reilly'
                                        ^ mismatched quote

Why would you ever not write your code to avoid SQL injection?

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
  • Good question. Thank you for posing it I am keen to get opinions and clarity on this. I am working within a web application that require credentials to function. From my naïve perspective, I see enforcing 2 factor authentication, and user authorization, should be good enough to trust the user. If the user at that point attempt a malicious attack, I think my company have bigger problems to address within the HR office. Metaphorically I'd say that once I let a person into my house I have a sufficient level of trust to not chain my TV to the wall. Makes sense? – Chi Jan 14 '22 at 14:08
  • Is it malicious that the user's name is actually O'Reilly? – Bill Karwin Jan 14 '22 at 14:26
  • No. I get your point. In this case it will return an invalid input error or mismatch error. – Chi Jan 14 '22 at 15:23
  • 1
    Right, and the solution to prevent those errors is the same solution that we recommend to prevent SQL injection vulnerabilities: use query parameters. – Bill Karwin Jan 14 '22 at 15:38
  • I guess I should rephrase my question then: Should I care about preventing malicious sql injection attacks from a user which has been authenticated and authorized? – Chi Jan 14 '22 at 17:27
  • Yes, you should always care about that. Never trust users. – Bill Karwin Jan 14 '22 at 17:33
  • Never trust users? Forgive my incredulity. Just want to be sure I understand here, are you suggesting to consider all users potential criminals? I agree from a "data quality" perspective the system should validate inputs. – Chi Jan 15 '22 at 18:29
  • 1
    The users aren't necessarily criminals, but you should count on them doing actions against your website as if they are. They will enter inputs you never thought any reasonable person would. They will overwhelm your site with requests. You need to write code to limit the actions they can do, and make sure the site handles it gracefully. – Bill Karwin Jan 15 '22 at 20:27
  • 1
    But to the point, yes, _some_ users might be criminals. People will pretend they need a legitimate account, then exploit their access to do illicit things. Sorry to spoil your innocence, but you need to design software with this in mind. – Bill Karwin Jan 15 '22 at 20:29
  • Spoil my innocence? I know this world is rotten from the inside. I just don't understand the logic in this. Why would you give the keys to your house without trusting the person. I see companies are using recruiters, who are young and unexperienced, to hire people . Refusing to face a deeper error, you are simply making life difficult for the users and not for the criminals, because the criminals are much much more skilled than users. – Chi Jan 17 '22 at 10:56
  • Anyway, just use query parameters. Then you don't have to worry about SQL injection is most cases. – Bill Karwin Jan 17 '22 at 14:24
  • Well, thank you for your time Bill. I get your point, but ... ;-) – Chi Jan 18 '22 at 13:21