Whatterz


Preventing SQL Injection in an AIR Application

by Simon. Average Reading Time: about 3 minutes.

SQLite is a mostly ACID-compliant relational database management system contained in a relatively small (~500kB) C programming library. The Adobe AIR runtime includes the SQLite embedded database for use by Adobe AIR applications. This allows applications to run and store data locally and or synchronise the datastore with online repositories.

Applications that depend on user input to create a SQL statement — concatenating the user input to the SQL query — can become vulnerable to SQL Injection attacks, much like those common to web applications.

SQL Injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

Fortunately, there is a simple solution to the problem: use parameterised SQL Statements. Parameterised statements not only make your applications more secure and run more efficiently, but they also enable you to use objects, rather than literal values, in your queries. SQL injection can’t happen because the parameter values are treated explicitly as substituted values, rather than becoming part of the literal statement text.

Parameters in a SQL statement can be either named or unnamed. Below are examples of both types of statement in ActionScript and JavaScript.

Named Parameters

A named parameter has a specific name that is used to match the parameter value to its placeholder location in the SQL statement text. A parameter name consists of the colon (:) or an at (@) character followed by the variable’s name:

ActionScript 3

var conn:SQLConnection = new SQLConnection();
var stmt:SQLStatement = new SQLStatement();
stmt.sqlConnection = conn;
stmt.text = "INSERT INTO user VALUES(@title, @firstname, @lastname)";
stmt.parameters["@title"] = "Mr";
stmt.parameters["@firstname"] = "Simon";
stmt.parameters["@lastname"] = "Whatley";
stmt.execute()

JavaScript

var conn = new air.SQLConnection();
var stmt = new air.SQLStatement();
stmt.sqlConnection = conn;
stmt.text = "INSERT INTO user VALUES(@title, @firstname, @lastname)";
stmt.parameters["@title"] = "Mr";
stmt.parameters["@firstname"] = "Simon";
stmt.parameters["@lastname"] = "Whatley";
stmt.execute()

Unnamed Parameters

As an alternative to using explicit named parameters, you can also use implicit unnamed parameters. To use an unnamed parameter you simply designate a parameter in the SQL statement using a question mark (?) character. Each parameter is assigned a numeric index, according to the order in which the parameters appear in the SQL statement, starting with index 0 (zero) for the first parameter.

ActionScript 3

var conn:SQLConnection = new SQLConnection();
var stmt:SQLStatement = new SQLStatement();
stmt.sqlConnection = conn;
stmt.text = "INSERT INTO address VALUES(?, ?, ?, ?)";
stmt.parameters[0] = "123 Main Street";
stmt.parameters[1] = "Sometown";
stmt.parameters[2] = "12345";
stmt.parameters[3] = "USA";
stmt.execute()

JavaScript

var conn = new air.SQLConnection();
var stmt = new air.SQLStatement();
stmt.sqlConnection = conn;
stmt.text = "INSERT INTO address VALUES(?, ?, ?, ?)";
stmt.parameters[0] = "123 Main Street";
stmt.parameters[1] = "Sometown";
stmt.parameters[2] = "12345";
stmt.parameters[3] = "USA";
stmt.execute()

Note: Use clearParameters() to empty the statement parameters array; e.g. stmt.clearParameters().

Advantages

  1. Performance – A SQL statement that uses parameters can execute more efficiently compared to one that dynamically creates the SQL text each time it executes. The performance improvement is because the statement is prepared once and then executed multiple times using different parameter values, without needing to recompile the SQL statement. A comparison can be draw with database stored procedures.
  2. Data Typing – Parameters are used to allow for typed-substitution of values that are unknown at the time the SQL statement is constructed. The use of parameters is the only way to guarantee the type (storage class) for a value passed to the database. Using paramters therefore, implies better performance and security. When parameters are not used, the runtime attempts to convert all values from their text representation to a type based on the associated column’s type.
  3. Security – The AIR application is not vulnerable to SQL injections so common to web applications.

This article has been tagged

, , , , , , , , , , , , , , ,

Other articles I recommend

How to Fix a SQL Injection Attack

In my previous post, What is a SQL Injection Attack, I gave a brief overview of SQL injection and Cross-Site Scripting (XSS), primarily with regard to websites. In the example given, we saw that an attack could take the form of a ‘hacked’ URL which contained either a literal SQL statement, or a hexadecimal string that could be interpreted by an insecure SQL database server.

What is a SQL Injection Attack

Over the past few weeks, subversive elements in the international arena have decided that attacking websites is a fun thing to do! The online world has become the new battle ground between nations vying to de-stabilise rivals. This may seem all very Jack Bauer, but we are increasingly seening ‘SQL injection attacks’ eminating from countries such as Russia, China and North Korea. Of course, that doesn’t mean our countries aren’t doing the same in return, but we only see the results from foreign-based attacks.

Using jQuery Auto-Complete with ColdFusion

Creating an autocomplete form field historically has not been a trivial matter and would require an indepth knowledge of JavaScript and CSS. However, the task is made far more simple when using one of the many freely-available JavaScript libraries. In this post I will show you how to implement the jQuery Autocomplete created by Dylan Verheul.