Are SQL injections still a threat?

Question

I've been wondering if SQL injections are still a possible threat for everyday, normal websites, with parameterized SQL. (ASP.NET - '@0').

If it is still a threat, how would crackers override or get around these parameters?

Answer 1

According to OWASP, it was still the top threat in 2013 (long after ASP.NET came out): https://www.owasp.org/index.php/Top_10_2013-A1-Injection

Parameterized SQL doesn't remove the need to worry about SQL injection. I have worked at a company where previous developers created stored procedures that took a string as a parameter, created some dynamic SQL including that string and executed it. They had claimed it was safe because it was parametised, but I was able to show that I could pass SQL code into the stored proc and have it executed.

Also, claiming that you are safe from SQL injection because you use a language that supports parameters doesn't mean that you are using parameters every single time. It only takes one slip up for someone to be able to inject some code into your database.

Answer 2

Yes, SQL injections are still a threat. There are always new vulnerabilities found with these types of things.

Here are some reasons why injections can still be thought of as a threat.

• It's an easy attack, only one computer is required when others take many computers to attack.
• Bad programming, bad programming can lead to some easy vulnerabilities. You have to make your database as secure as it possibly can to make it harder for attackers to find vulnerabilities.
• Trusting user input, sometimes trusting user input this much can really go wrong without any verification.

Those are just a few. Remember though, if you're going to be using an SQL database. Make sure that you consider the vulnerabilities in your project before you let the public use it.