Structured Query Language (SQL) Injection
Definition: Is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives.
Even parameterized data can be manipulated by a skilled and determined attacker.
The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata.
When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.
The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "--".
Subsequent text is ignored at execution time.
If you were looking for "wow" technology that could be used on a daily basis by patients, doctors, hospitals and others in the health care industry, this week's mHealth Summit showcased it all!
The only thing that seemed to be missing was the Tricorder used by Dr. McCoy on Star Trek. Devices to remotely monitor your heart rate, applications that let you know what prescriptions to take when, services that allow doctors to securely share patient information using a smartphone, and the list goes on. They were all on display.
As someone who firmly believes there are technological solutions that can offer Americans throughout the country -- in both rural and metro areas -- higher quality health care services at more affordable prices, I was truly impressed at what I saw at the summit.
And I had the opportunity to speak with many of the companies exhibiting these products and services. Some of these conversations are available on the site. (See: mHealth DC 2010)
In my column a couple of weeks ago I mentioned that health care technology was outpacing adoption and after walking the exhibit floor at the summit, I believe that is still the case.
But the good news is that we all know that mobile devices and applications are being adopted by millions of people and that in many cases the use of mobile phones that do more will continue to grow. That holds true as much in the health care industry as it does in our everyday lives.
Companies supporting these mobile applications and services are smart enough to understand that broad adoption and acceptance will only happen when the health care industry and the general public buy into the benefits of mobile health care (mHealth).
As far as the summit went, an educational component, or a "what's in it for me" portion, was missing. Company salespeople and executives were quick to point out the benefits their applications or services offered potential customers and users but there is a need to distribute that knowledge outside the four walls of the convention center.
Knowing how a service or application works, how it changes the interaction among patients, doctors and insurance companies, or how it can lower the cost of services are basic questions that need to be addressed in order to reach the comfort zone for adoption. Basic education is essential.
These are some of the areas I intend to cover in the future - including one-on-one interviews with companies supporting health care. Stay tuned and hopefully I will keep you tuned in.
Follow me on Twitter: @TechnicalJones