How to secure against SQL injection ?

Leave a comment (0) Go to comments

What is SQL Injection?

The ability to inject SQL commands into the database engine through an existing application is termed as SQL Injection Attack.

SQL injection is a type of security exploit in which the attacker adds SQL statements through a web application’s input fields or hidden parameters to gain access to resources or make changes to data.

It’s a serious vulnerability, which can lead to a high level of compromise – usually the ability to run any database query.

It is an attack on web-based applications that connect to database back-ends in which the attacker executes unauthorized (and unexpected) SQL commands by taking advantage of insecure code and bad input validation. It is very often done on systems connected to the Internet because it allows to completely bypass the firewall. SQL injection attacks can be used to steal information from a database from which the data would normally not be available and to gain access to host computers through the database engine.

Example of SQL Injection attack

SQL Query in Web application code:

“SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’;”

–Hacker logs in as: ‘ or ‘’ = ‘’; — and query becomes like this

SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; –’; and password=‘’;


–Hacker deletes the users table with: ‘ or ‘’ = ‘’; DROP TABLE users; —

SELECT * FROM users WHERE login = ‘’ or ‘’=‘’; DROP TABLE users; –’; and password=‘’;

What are Common SQL Injection Characters

  • or " character String Indicators
  •  or # single-line comment
  •  /*…*/ multiple-line comment
  •  + addition, concatenate (or space in url)
  •  || (double pipe) concatenate
  •  % wildcard attribute indicator
  •  ?Param1=foo&Param2=bar URL Parameters
  •  PRINT useful as non transactional command
  •  @variable local variable
  •  @@variable global variable
  •  waitfor delay ’0:0:10′ time delay

How to Defending against SQL injections ?

  • Sanitize all input. Assume all input is harmful.
  • Validate user input that contains dangerous keywords or SQL characters, such as “xp_cmdshell”, “- -”, and “;”.
  • Consider using regular expressions to remove unwanted characters. This approach is safer than writing your own search and replace routines.
  • Run Code with least privilege.
  • Do not execute an SQL SELECT statement as “sa”. Create low-privilege accounts to access data.
  • Use SQL permissions to lock down databases, stored procedures, and tables.
  • Remove unused stored procedures.
  • Do not allow clients to view ODBC/OLE DB error messages. Handle these errors with your own code. By default, ASP pages returns error messages to clients.
  • Enable logging of all user access, and set alerts to log all failed attempts to access objects.
  • Do not use string concatenations to build SQL queries. Instead, use parameterized queries or parameterized stored procedures, because they explicitly define input and output values and do not process multiple statements as a batch.
A Quick Overview of Sq injections
 
Tags :What is SQL Injection,Example of SQL Injection attack,How to Defending against SQL injections,Common SQL Injection Characters,A Quick Overview of Sq injection,How common is SQL injection,sql server injection

EOF - How to secure against SQL injection ?, SQL Server 2012 , 2008 R2 , 2008 , 2005 , 2000

Leave a Reply

Your email address will not be published. Required fields are marked *


*


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.