SQL injection doesn’t exist if you close your eyes to it? Right??

At work we submitted a bug submission about 2 months ago for one of our systems complaining that it was tripping up when we were using certain words within the title field. These words are commonly used by us at the university, some no longer due to a restructure last year, but others will always be used. One of these words we’d notice was ‘Exec’ which was the abbreviated form of Executive (Dean).

Anytime this word was being used an error was occurring, and we couldn’t make changes. Naturally we submitted our bug submission to the vendor and detailed what had occurred and waited, and waited. I think we’d forgotten about it as we’re so busy working on the upgrade project now. Overnight they finally got around to responding to this bug submission by telling us that their system was treating this as SQL injection and we should not use certain words. I read these words and had a WTF moment, I wanted to send it to a friend at the university who’s a Professor of Cyber Security, he’d be utterly horrified (or perhaps unsurprised?) by their response. In effect, the vendor was saying don’t use certain words because we’re bullshit programmers, why the hell is a title field ever allowed to execute SQL statements in the first place? For the life of me I can’t think of any good reason why it should.

Deep breaths. Deep breaths.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s