Groups | Search | Server Info | Login | Register

Groups > comp.misc > #9533

Re: nosql systems fall for some of the same old traps

From Sylvia Else <sylvia@not.at.this.address>
Newsgroups comp.misc
Subject Re: nosql systems fall for some of the same old traps
Date 2015-11-16 18:52 +1100
Message-ID <datg9aF94dmU1@mid.individual.net> (permalink)
References <dalm90F90tfU1@mid.individual.net> <n24lgq$od9$1@dont-email.me>

Show all headers | View raw

On 13/11/2015 11:36 PM, Rich wrote:
> RS Wood <rsw@therandymon.com> wrote:
>> http://www.theregister.co.uk/2015/11/13/nosql_security_new_generation/
>
>> NoSQL: Injection vaccination for a new generation
>> This future architecture still falls into some of the same old traps
>
>> //--clip
>> ...
>> NoSQL is, or was meant to be (you pick) the future architecture, an
>> opportunity, almost, to start afresh. Given that and with the wealth of
>> knowledge that's amassed from decades of SQL, you'd think NoSQL
>> databases and systems wouldn?t fall into the same traps as the previous
>> generations of RDBM systems.
>> //--clip
>
> Obviously written by a reporter, not by a programmer.
>
> SQL injection attacks are the result of failing to treat data from
> "outside" as possibly malicious until it is defanged.
>
> The failure has nothing to do with SQL, or even with the connected
> database.  It is the code that interfaces between the DB and the world.
>
> That interface code exists, no matter the backing database.  And as
> long as some programmer writes that code assuming that all input data
> is only ponys and unicorns, these issues will continue to occur.
>

The underlying problem is an insufficient division between the 
definition of the query to be performed, and the data values to be used. 
Indeed, in some implementations, the only way to specify the data values 
is to encode them into the query which is constructed anew for each use. 
This makes injection attacks inevitable when the work is done by naive 
developers.

Even where the option exists to use parameter references, developers may 
use the query encoding approach just because it seems easier.

The solution is to prevent the appearance of literal values at all in 
the query language. This can be a pain, of course, where a value is 
genuinely constant (since it must still be supplied as a parameter), but 
it does make the system safer in the hands of inexperienced and/or 
indifferent developers.

Sylvia.

Back to comp.misc | Previous | NextPrevious in thread | Find similar

Thread

nosql systems fall for some of the same old traps RS Wood <rsw@therandymon.com> - 2015-11-13 11:45 +0300
  Re: nosql systems fall for some of the same old traps Rich <rich@example.invalid> - 2015-11-13 12:36 +0000
    Re: nosql systems fall for some of the same old traps Sylvia Else <sylvia@not.at.this.address> - 2015-11-16 18:52 +1100

csiph-web