Not all security exploits occur on the device side, in many cases they are wide open on the server side, where a lot more damage can be done if any exploits are found and abused. When developing a server component for any web based or IoT solution - code injection is a item that should never be overlooked. It is quite easy to prevent with the right approach.
The most common code injection exploit that is targetted online is known as an SQL injection; it occurs when input provided by the user gets passed directly "as-is" to the underlying database engine - which results in unexpected behavior or complete loss of data.
While it is most common that SQL injections attacks are targetted towards well known and established platforms where the source code and database structures are well known - a badly written server script can also expose the database structure of its underlying database depending on how the results are processed from the database layer.
SQL injections are quite easy to understand, consider the following:
$query = "SELECT fieldlist FROM table WHERE field="'.$_POST["input"]."'";
In the above php code, the value stored in the $_POST array with the id of input is inserted into an SQL query that the developer has written. The developer expects that the information being passed will be a simple string - but, what happens if the following is passed:
value'; DROP TABLE table; --
The query then becomes:
SELECT fieldlist FROM table WHERE field='value'; DROP TABLE table; --'
What was the unexpected side effect of this SQL injection? In SQL syntax, a semi-colon is used to separate two different commands. In this case, the original query would be executed as normal, but the second command (underlined) would do a lot more harm, namely the table called table would be dropped (deleted) from the database. It surely was not what the developer intended to happen with the code they had written.
There are well documented "cheat sheets" available for every database engine:
While the SQL injection exploit is quite common - there is also a fairly simple fix to prevent these type of attacks happening. Depending on the scripting language being used server side, there will typically be a function you can pass the input string through to escape any special characters hence avoiding this style of attack.
If you are using php, there is an excellent guide on the topic, however - just sanitising your inputs does not stop the possibility of your server being vulnerable to SQL injections attacks. Experts recommend using parameterized queries, to substitute data into arguments using strict data types or using filters to validate and sanitise the input before processing it.
While most third party vendors will do this for you, it is in your best interest to do a code inspection yourself to verify that SQL injection attacks are handled correctly before rolling your product out to production. The last thing you want is unauthorized access to your precious data or even losing business due to mass loss of data.
Web Security - OS Command Injections
