Basically, SQL injections happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. Any webmaster creating web applications that involves database manipulation will have to take these measures to prevent SQL injections.
According to WhiteHat Security’s statistics, there is a 20% likelihood that 8 out of 10 websites have a vulnerability in the area of SQL Injections.
- Keeping It Clean
For example, it is important to make sure that users insert only codes that have these characters in the email field :
Many database interface languages caters to the need of safe-quoting text. For example, MySQL uses 2 functions to ‘string quote’ and to ‘string parse’ :
- mysql_real_escape_string() adds backslashes in front of all the quotation marks.
- stripslashes() removes backslashes in front of the quotation marks.
Statement s = connection.createStatement();
ResultSet rs = s.executeQuery(“SELECT email FROM member WHERE name = ” + formField); // *boom*
PreparedStatement ps = connection.prepareStatement(“SELECT email FROM member WHERE name = ?”);
ResultSet rs = ps.executeQuery();
Above is an example of bound parameters in Java. Neither quotes, semicolons, backslashes nor SQL comment notations are able to corrupt the string because it’s been turned into data. Bounding parameters is one of the most important step anyone can take to truly secure the database from injection attacks.
Web applications should use connections to the database with as little rights as possible. Web applications should start with only 1 type of access which is query access to members table. This method eliminates the possibility of using the ‘UPDATE’ statement to taint the database. Let rights access be progressive, like allowing more flexibility only after a successful user validation.
As long as the interface on the stored procedure stays the same, the table structure can change with no consequence to the application that is using the database. This layer of abstraction is like an extra barrier because table permission is implicitly set. By only allowing database modifications through stored procedures, tables are safe from exposure to external applications.
A DMZ is a computer network that is accessible from two other computer networks that have no direct contact with each other. Often, one of these networks is the Internet and the other is a local, internal network. Having a web server with very, very little access in a DMZ prevents total control of all networks, even if one manages to take full control of the machine.
SQL Injection Attacks
Useful tips on SQL injection attacks