SQL injection attacks are relatively easy to protect against. One good way to prevent SQL injection is to use parameterized statements, also called prepared statements. These involve the use of placeholders in SQL queries, which are later filled-in by the database with a subsequent call. Thus, raw SQL is never executed, instead, a prepared query is created, and then its parameters are bound in order. Here’s a simple example (in C++):

stmt = "SELECT * from USER WHERE userID = ?";
/* ? is the parameter placeholder
 * stmt is prepared, and then the parameter is bound using a bind_param()
 * call
 */

In this way, user input is only bound to a variable with pre-determined constraints (max length, type, allowable characters, etc.).

Some other common defenses against SQL injection are user input escaping and network security devices that do pattern analysis on traffic. Input escaping is tricky, because attackers can be clever and use Unicode characters and other techniques to bypass typical escaping rules. So web developers should be aware of these techniques. IDS/IPS devices can provide an additional layer of security to detect and block traffic that matches knows SQL injection signatures.

One interesting new development in the last few years is the emergence of application layer filters such as ModSecurity. These modular firewalls plug-in to existing application servers such as Apache, and provide an additional layer of protection against web-based attacks.

As always, employing a defense-in-depth strategy is strongly recommended for mitigating these and other classes of attacks.

UAL’s stock quickly witnessed a deficit of $1.14 billion as a result of the news, but by the end of the day had mostly recovered. The resulting loss in shareholder value was ~ $300 million. Of course, had the original article included the publication date (2002), this likely wouldn’t have happened. The investigators believe this was an innocuous event, but it’s very easy to imagine a similar case as a malicious event. Industry competition, rogue employees, or other nefarious parties could conspire to hijack another company’s stock or reputation (which has a strong correlation to stock price).

It’s not clear that much can be done to mitigate this form of social engineering. Once a news blurb gains traction, it circulates the various blogging networks, online media conglomerates, and aggregators like Google News. One way to attempt to contain an inaccurate story is to issue an official company press release stating the news is inaccurate or misleading. This, however, may appear unconvincing to many, eager to trust third-party reportings over the official party line.

Another interesting facet is in assigning blame. Is it Google’s crawlers’ fault for not being able to distinguish old news from current? Or perhaps Tribune is at fault: its online paper South Florida Sun-Sentinel published the old article without a date. Stockholders (and automated software acting on their behalf) selling their shares based on the news are also potentially to blame for not researching the news with due diligence prior to acting on it.