Secrets from the Data Cave: January 2015

Welcome to CRCs monthly series of articles on all things techie: Secrets from the Data Cave! (For those who dont know, the title references our room fondly referred to as the bat cave where data staff can geek out in an isolated setting.) Here well be offering you a sneak peek into the cave, with tips and the latest updates on what were implementing here at CRC.

(This month’s SDC is an on-the-road edition!)

Late last fall, I had the opportunity to go to phpworld 2014, a conference for PHP code developers, held in Washington DC.

Many different web applications use the programming language PHP, so coders have a myriad of options for deploying it (including, but not limited to, Drupal, Wordpress, Joomla, and Magneto). This conference is designed to bring these communities together in order for developers to learn about how others are using this language, and get ideas for enhancing existing applications.

The conference sessions that fascinated me the most were those about web security. PHP is great for developers because it is a very powerful language, meaning you can do a lot with it. But, without the proper precautions, hackers can exploit that power over your applications and cause huge headaches.

One conference presenter gave a great example of how this might look in the real world. As context for the example, you need to know that there are certain combinations of coding language that, should a hacker type them into your application and you havent protected your database, the application will interpret them as legitimate SQL code and drop all the tables in your database. Therefore a hacker could use this technique (called SQL injection) with a drop database table command feeding the application some code that masquerades as part of the original developers code to irreversibly erase all of your data.

With this in mind, consider the presenters example: A would-be hacker in Europe rigged up a fake license plate with a bit of SQL injection code on it. He was exploiting the fact that traffic cameras use picture-parsing technology to break down an image of a license plate into individual characters (to record the plate info of speeders).

So, this was presumably an effort to trick the traffic camera into parsing the code, feeding the data in as it would any license plate. This would have ultimately caused all the stored traffic data on the back-end to be wiped clean via the SQL injection! Now, its unlikely that this actually worked in practice. But, it did get me thinking about the lengths hackers will go to in order to mess with your data.

All in all, it** **was an excellent conference, and I feel I learned a lot about this powerful coding language. Im now looking forward to connecting with more PHP developers in future!