クラサバにSQLインジェクション対策は無関係だと、なぜ考える?

下火になってるようですが、以前SQLインジェクションが話題になっていました。
浸透していると思っていたのですが、耳を疑う事を聞いてしまいました。
得意先マスタの一覧を表示する画面でのこと。データ抽出条件が,住所項目で指定できるという,よくあるパターンです。
sql = " select fld1,fld2,fld3 from 得意先マスタ where 住所 Like =' " + textbox1.text.trim + "'"
といった感じでコーディングされてます。
　当然、インジェクションが起るので、ダメ出しをしたのですが、話が通じません。
当人側の主張は, 「インジェクション問題は聞いたことはあるが、それはWebアプリの問題で,このシステムはクラサバシステムだから無関係でしょ」でした。
??? そういう問題?　　(ビジネス処理に,Webもクラサバも無関係だろう!!..気持ちは抑えて)
なぜ危ないか説明したのですが、危険性の理解は得られたが、「ユーザーはそんな入力する知識はないし,可能性も少ないので考慮するのは不要
　　　　パラメータクエリで実装するのは手間, 文字列加算で実装したほうが直感的で楽」でした。

??? それでいいの?
最近、こんな事例によく出くわします。「バグは発覚しなければ良いので、潰すのはそれからだ」という考えを垣間見た気がして不満感一杯。
これもモラルの低下か!! と思うのは私が年代物になったからなのだろうか。

投稿日時 : 2007年3月26日 1:02

Feedback

# re: クラサバにSQLインジェクション対策は無関係だと、なぜ考える? 2007/03/26 13:53 シャノン

> 「バグは発覚しなければ良いので、潰すのはそれからだ」

この言葉には、「今はそれよりもやるべきことがある」って続きますかね。
短納期化、低コスト化が響いている…
「テストしてる暇があったら次の案件にかかれ」みたいな？

# re: クラサバにSQLインジェクション対策は無関係だと、なぜ考える? 2007/03/26 20:16 Ognac

自分の首を絞めていることに気づかないのかな?

# re: クラサバにSQLインジェクション対策は無関係だと、なぜ考える? 2007/03/26 20:43 かつのり

確かにﾋﾄﾞｽｗｗｗ。
値に短引用符が使われる可能性がない限り、
「これは仕様である」とでも言い張るんでしょうね。
そして「不正な操作を行うユーザが悪い」とか言うのでしょうね。

こういうところからITに対する価値が下がっていくのかな。

# re: クラサバにSQLインジェクション対策は無関係だと、なぜ考える? 2007/03/26 21:24 ちゃっぴ

というよりも、Intranet の場合、直接 DB に好きなように接続できちゃう SQL injection 以前の問題のほうが多いと思いますよ。

# re: クラサバにSQLインジェクション対策は無関係だと、なぜ考える? 2007/03/26 23:10 Jitta

　危険なのは「セキュリティホールのあるアプリケーション」ではなく、「セキュリティホールがあることがわかっていて放置する開発者の体質」なんですけどねぇ。
　で、実際、セキュリティ上の穴にはならなくても、バグにはなり得るのです。
→ http://blogs.wankuma.com/jitta/archive/2006/02/20/21370.aspx
　今回パラメータライズドクエリにしなかったら、この次の機会も、「前回はこうだったから」と、おそらく文字列連結を使うでしょう。そして、Web アプリケーションになっても、やはり使ってしまい、後になって対応に走り回ることになるでしょう。
　先にやっておく方が楽なのに。。。

> パラメータクエリで実装するのは手間, 文字列加算で実装したほうが直感的で楽
　そうかなぁ？そこでいったん文字列が切れちゃうんですよ？パラメータにした方が、直感的で見やすく、保守もしやすく、おまけにセキュア。
# とりあえず、「ストアドプロシージャ」はいわないでおく

> 「これは仕様である」とでも言い張るんでしょうね。
言い張っているのがサイボウズ。。。

# re: クラサバにSQLインジェクション対策は無関係だと、なぜ考える? 2007/03/27 0:09 Ognac

皆様ありがとうございます
>セキュリティホールがあることがわかっていて放置する開発者の体質
激しく同意!! JITTAさんの記事に大いに賛同します。
>言い張っているのがサイボウズ。。。
おお!そうなんですか?

>SQL injection 以前の問題
これは別次元の大きな問題ですよね。

# re: クラサバにSQLインジェクション対策は無関係だと、なぜ考える? 2007/03/28 17:06 シャノン

関係ある話かな･･･

http://www.atmarkit.co.jp/news/200703/27/topse.html

「産業界には科学がない、大学には実践がない」

> アカデミックな世界には、複雑・高度化するソフトウェア開発で有用な先端的ツールや手法が存在しているが、実際の課題に適用した教材が不足している。
> 一方、産業界では難度の高い新規開発課題に対して、高い品質の設計が行える優れたアーキテクトが不足している。

> NTTデータの松本隆明技術開発本部長は、現在のソフトウェア開発における問題点として「きちんと上流工程から設計ができておらず、開発そのものが科学的でない」ことを指摘する。
> 開発プロジェクトが遅れがちになり、ソフトウェア産業界が“3K”のレッテルを貼られている大きな原因だという。

まぁ、今回の例は技術というより常識、良識の部類かもしれませんけど。

# re: クラサバにSQLインジェクション対策は無関係だと、なぜ考える? 2007/03/28 21:02 Ognac

>常識、良識の部類かもしれませんけど
我々の常識、良識と一般開発者とはズレてきている気がします。
>アカデミックな世界...
このあり方が技術の進歩をもたらしたとも言えるでなんとも判断つきかねますね。

# Posts like this make 2014/05/11 17:00 Jhett

Posts like this make the inenrett such a treasure trove

# Have you ever considered creating an e-book or guest authoring on other blogs? I have a blog based on the same information you discuss and would really like to have you share some stories/information. I know my viewers would appreciate your work. If y 2019/05/08 10:49 Have you ever considered creating an e-book or gue

Have you ever considered creating an e-book or guest authoring on other
blogs? I have a blog based on the same information you discuss and would really like
to have you share some stories/information. I know my viewers would appreciate your
work. If you are even remotely interested, feel free to shoot me
an email.

# I got this site from my friend who told me on the topic of this website and at the moment this time I am browsing this web page and reading very informative articles at this time. 2019/05/09 7:44 I got this site from my friend who told me on the

I got this site from my friend who told me on the topic of this website and at the moment this time I am browsing this web page and reading very informative articles at this
time.

# I read this piece of writing fully about the resemblance of newest and earlier technologies, it's awesome article. 2019/08/25 2:22 I read this piece of writing fully about the resem

I read this piece of writing fully about the resemblance of newest
and earlier technologies, it's awesome article.

# What's up, after reading this amazing post i am as well happy to share my familiarity here with mates. 2019/09/17 9:29 What's up, after reading this amazing post i am as

What's up, after reading this amazing post i am as well happy to
share my familiarity here with mates.

# Howdy! Do you know if they make any plugins to assist with SEO? I'm trying to get my blog to rank for some targeted keywords but I'm not seeing very good success. If you know of any please share. Thanks! 2021/08/24 7:27 Howdy! Do you know if they make any plugins to ass

Howdy! Do you know if they make any plugins
to assist with SEO? I'm trying to get my blog to rank for
some targeted keywords but I'm not seeing very good success.
If you know of any please share. Thanks!

# Howdy! Do you know if they make any plugins to assist with SEO? I'm trying to get my blog to rank for some targeted keywords but I'm not seeing very good success. If you know of any please share. Thanks! 2021/08/24 7:28 Howdy! Do you know if they make any plugins to ass

# Howdy! Do you know if they make any plugins to assist with SEO? I'm trying to get my blog to rank for some targeted keywords but I'm not seeing very good success. If you know of any please share. Thanks! 2021/08/24 7:29 Howdy! Do you know if they make any plugins to ass

# Howdy! Do you know if they make any plugins to assist with SEO? I'm trying to get my blog to rank for some targeted keywords but I'm not seeing very good success. If you know of any please share. Thanks! 2021/08/24 7:30 Howdy! Do you know if they make any plugins to ass

# We're a group of volunteers and opening a new scheme in our community. Your web site offered us with valuable info to work on. You have done an impressive job and our whole community will be thankful to you. 2021/08/26 6:47 We're a group of volunteers and opening a new sche

We're a group of volunteers and opening a new scheme in our community.

Your web site offered us with valuable info to work
on. You have done an impressive job and our whole community will be thankful to you.

# Hi! Someone in my Myspace group shared this website with us so I came to check it out. I'm definitely enjoying the information. I'm bookmarking and will be tweeting this to my followers! Fantastic blog and amazing style and design. 2021/08/31 18:47 Hi! Someone in my Myspace group shared this websit

Hi! Someone in my Myspace group shared this website with us
so I came to check it out. I'm definitely enjoying the information. I'm bookmarking and will be tweeting this to my
followers! Fantastic blog and amazing style and design.

# Hi! Someone in my Myspace group shared this website with us so I came to check it out. I'm definitely enjoying the information. I'm bookmarking and will be tweeting this to my followers! Fantastic blog and amazing style and design. 2021/08/31 18:48 Hi! Someone in my Myspace group shared this websit

# Hi! Someone in my Myspace group shared this website with us so I came to check it out. I'm definitely enjoying the information. I'm bookmarking and will be tweeting this to my followers! Fantastic blog and amazing style and design. 2021/08/31 18:49 Hi! Someone in my Myspace group shared this websit

# Hi! Someone in my Myspace group shared this website with us so I came to check it out. I'm definitely enjoying the information. I'm bookmarking and will be tweeting this to my followers! Fantastic blog and amazing style and design. 2021/08/31 18:50 Hi! Someone in my Myspace group shared this websit

# Hurrah, that's what I was searching for, what a material! present here at this webpage, thanks admin of this website. 2021/09/01 21:37 Hurrah, that's what I was searching for, what a ma

Hurrah, that's what I was searching for, what a
material! present here at this webpage, thanks admin of this
website.

# Hurrah, that's what I was searching for, what a material! present here at this webpage, thanks admin of this website. 2021/09/01 21:38 Hurrah, that's what I was searching for, what a ma

Hurrah, that's what I was searching for, what a
material! present here at this webpage, thanks admin of this
website.

# Hurrah, that's what I was searching for, what a material! present here at this webpage, thanks admin of this website. 2021/09/01 21:39 Hurrah, that's what I was searching for, what a ma

Hurrah, that's what I was searching for, what a
material! present here at this webpage, thanks admin of this
website.

# Hurrah, that's what I was searching for, what a material! present here at this webpage, thanks admin of this website. 2021/09/01 21:40 Hurrah, that's what I was searching for, what a ma

Hurrah, that's what I was searching for, what a
material! present here at this webpage, thanks admin of this
website.

# My brother suggested I might like this website. He was entirely right. This post actually made my day. You can not imagine just how much time I had spent for this info! Thanks! 2021/09/02 22:54 My brother suggested I might like this website. He

My brother suggested I might like this website.
He was entirely right. This post actually made my
day. You can not imagine just how much time I had spent for this info!
Thanks!

# My brother suggested I might like this website. He was entirely right. This post actually made my day. You can not imagine just how much time I had spent for this info! Thanks! 2021/09/02 22:55 My brother suggested I might like this website. He

My brother suggested I might like this website.
He was entirely right. This post actually made my
day. You can not imagine just how much time I had spent for this info!
Thanks!

# My brother suggested I might like this website. He was entirely right. This post actually made my day. You can not imagine just how much time I had spent for this info! Thanks! 2021/09/02 22:56 My brother suggested I might like this website. He

My brother suggested I might like this website.
He was entirely right. This post actually made my
day. You can not imagine just how much time I had spent for this info!
Thanks!

# My brother suggested I might like this website. He was entirely right. This post actually made my day. You can not imagine just how much time I had spent for this info! Thanks! 2021/09/02 22:57 My brother suggested I might like this website. He

My brother suggested I might like this website.
He was entirely right. This post actually made my
day. You can not imagine just how much time I had spent for this info!
Thanks!

# I'm not sure where you're getting your info, but good topic. I needs to spend some time learning much more or understanding more. Thanks for excellent info I was looking for this info for my mission. 2021/09/04 11:26 I'm not sure where you're getting your info, but g

I'm not sure where you're getting your info, but good topic.
I needs to spend some time learning much more or understanding
more. Thanks for excellent info I was looking for this info for my
mission.

# I'm not sure where you're getting your info, but good topic. I needs to spend some time learning much more or understanding more. Thanks for excellent info I was looking for this info for my mission. 2021/09/04 11:27 I'm not sure where you're getting your info, but g

I'm not sure where you're getting your info, but good topic.
I needs to spend some time learning much more or understanding
more. Thanks for excellent info I was looking for this info for my
mission.

# I'm not sure where you're getting your info, but good topic. I needs to spend some time learning much more or understanding more. Thanks for excellent info I was looking for this info for my mission. 2021/09/04 11:28 I'm not sure where you're getting your info, but g

I'm not sure where you're getting your info, but good topic.
I needs to spend some time learning much more or understanding
more. Thanks for excellent info I was looking for this info for my
mission.

# I'm not sure where you're getting your info, but good topic. I needs to spend some time learning much more or understanding more. Thanks for excellent info I was looking for this info for my mission. 2021/09/04 11:29 I'm not sure where you're getting your info, but g

I'm not sure where you're getting your info, but good topic.
I needs to spend some time learning much more or understanding
more. Thanks for excellent info I was looking for this info for my
mission.

# Undeniably believe that which you stated. Your favorite justification appeared to be on the web the simplest thing to be aware of. I say to you, I certainly get annoyed while people think about worries that they plainly do not know about. You managed to 2021/09/05 18:11 Undeniably believe that which you stated. Your fav

Undeniably believe that which you stated.
Your favorite justification appeared to be on the web the simplest thing to be aware of.
I say to you, I certainly get annoyed while people think about
worries that they plainly do not know about. You managed to
hit the nail upon the top and defined out the whole thing without having side-effects ,
people could take a signal. Will probably be back to
get more. Thanks

# Great blog! Is your theme custom made or did you download it from somewhere? A theme like yours with a few simple tweeks would really make my blog stand out. Please let me know where you got your design. Kudos quest bars http://bitly.com/3jZgEA2 quest 2021/09/10 19:48 Great blog! Is your theme custom made or did you

Great blog! Is your theme custom made or did you download it from somewhere?
A theme like yours with a few simple tweeks would really make
my blog stand out. Please let me know where you got your design. Kudos quest bars http://bitly.com/3jZgEA2 quest
bars

# Great blog! Is your theme custom made or did you download it from somewhere? A theme like yours with a few simple tweeks would really make my blog stand out. Please let me know where you got your design. Kudos quest bars http://bitly.com/3jZgEA2 quest 2021/09/10 19:49 Great blog! Is your theme custom made or did you

# Great blog! Is your theme custom made or did you download it from somewhere? A theme like yours with a few simple tweeks would really make my blog stand out. Please let me know where you got your design. Kudos quest bars http://bitly.com/3jZgEA2 quest 2021/09/10 19:50 Great blog! Is your theme custom made or did you

# Marvelous, what a website it is! This web site presents helpful facts to us, keep it up. 2021/12/25 19:47 Marvelous, what a website it is! This web site pre

Marvelous, what a website it is! This web site presents helpful facts to us,
keep it up.

# ivermectin australia http://stromectolabc.com/
ivermectin lotion for lice 2022/02/07 17:44 Busjdhj

ivermectin australia http://stromectolabc.com/
ivermectin lotion for lice

# online doxycycline https://doxycyline1st.com/
doxy 2022/02/25 22:25 Doxycycline

online doxycycline https://doxycyline1st.com/
doxy

# vibramycin 100 mg https://doxycyline1st.com/
how to buy doxycycline online 2022/02/26 9:40 Doxycycline

vibramycin 100 mg https://doxycyline1st.com/
how to buy doxycycline online

# Hey there! I've been following your website for a while now and finally got the bravery to go ahead and give you a shout out from Houston Tx! Just wanted to mention keep up the good job! 2022/03/25 6:34 Hey there! I've been following your website for a

Hey there! I've been following your website for a while now and finally
got the bravery to go ahead and give you a shout
out from Houston Tx! Just wanted to mention keep up the good job!

# medications for ed https://erectionpills.best/
ed pills otc 2022/06/28 11:02 ErectionPills

medications for ed https://erectionpills.best/
ed pills otc

# meds online without doctor prescription https://withoutprescription.store/
non prescription ed pills 2022/07/02 17:39 CanadaRx

meds online without doctor prescription https://withoutprescription.store/
non prescription ed pills

# molnupiravir vs paxlovid https://paxlovid.best/
paxlovid dosing 2022/09/07 22:51 Paxlovid

molnupiravir vs paxlovid https://paxlovid.best/
paxlovid dosing

# doors2.txt;1 2023/03/14 15:34 WuokMZobvHXgCSsiXm

doors2.txt;1

# doors2.txt;1 2023/03/14 17:00 nIfSxcomliTkGaO

doors2.txt;1

タイトル		タイトルを入力してください
名前		名前を入力してください
Url
コメントコメントを入力してください
名前をブラウザに記憶する

Ognacの雑感

目次

Blog 利用状況

書庫

ギャラリ