6 Ways On How To Prevent SQL Injections


Basically, SQL injections happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. Any webmaster creating web applications that involves database manipulation will have to take these measures to prevent SQL injections.

According to WhiteHat Security’s statistics, there is a 20% likelihood that 8 out of 10 websites have a vulnerability in the area of SQL Injections.

  1. Keeping It Clean
  2. For example, it is important to make sure that users insert only codes that have these characters in the email field :

    • abcdefghijklmnopqrstuvwxyz

  3. Quotes Quotes Quotes
  4. Many database interface languages caters to the need of safe-quoting text. For example, MySQL uses 2 functions to ‘string quote’ and to ‘string parse’ :

    • mysql_real_escape_string() adds backslashes in front of all the quotation marks.
    • stripslashes() removes backslashes in front of the quotation marks.

  5. Bounding Parameters
    • Insecure
    • Statement s = connection.createStatement();
      ResultSet rs = s.executeQuery(“SELECT email FROM member WHERE name = ” + formField); // *boom*

    • Secure
    • PreparedStatement ps = connection.prepareStatement(“SELECT email FROM member WHERE name = ?”);
      ps.setString(1, formField);
      ResultSet rs = ps.executeQuery();

    Above is an example of bound parameters in Java. Neither quotes, semicolons, backslashes nor SQL comment notations are able to corrupt the string because it’s been turned into data. Bounding parameters is one of the most important step anyone can take to truly secure the database from injection attacks.

  6. Rights Management
  7. Web applications should use connections to the database with as little rights as possible. Web applications should start with only 1 type of access which is query access to members table. This method eliminates the possibility of using the ‘UPDATE’ statement to taint the database. Let rights access be progressive, like allowing more flexibility only after a successful user validation.

  8. Making Use Of Stored Procedures
  9. As long as the interface on the stored procedure stays the same, the table structure can change with no consequence to the application that is using the database. This layer of abstraction is like an extra barrier because table permission is implicitly set. By only allowing database modifications through stored procedures, tables are safe from exposure to external applications.

  10. Separating TRUSTED and UNTRUSTED networks
  11. A DMZ is a computer network that is accessible from two other computer networks that have no direct contact with each other. Often, one of these networks is the Internet and the other is a local, internal network. Having a web server with very, very little access in a DMZ prevents total control of all networks, even if one manages to take full control of the machine.

SQL Injection Attacks
Useful tips on SQL injection attacks


Leave a Reply

Your email address will not be published. Required fields are marked *