SQL Injection Introduction and Prevention

SQL Injection Introduction and Prevention

Introduction of SQL Injection

A successful SQL injection attack enables a malicious user to execute commands in your application's database by using the privileges granted to your application's login. The problem is more severe if your application uses an over-privileged account to connect to the database. For example, if your application's login has privileges to eliminate a database, then without adequate safeguards, an attacker might be able to perform this operation.

SQL injection attacks take advantage of code that does not filter input that is being entered directly into a form. Susceptible applications are applications that take direct user input and then generate dynamic SQL that is executed via back-end code. For example say you have a logon form that accepts a user name and password. Once authenticated against the database, the application then sets a session value, or some other token for allowing the user to access the protected data.

How to avoid SQL Injection Attack:

Common vulnerabilities that make your data access code susceptible to SQL injection attacks include:

• Weak input validation.
• Dynamic construction of SQL statements without the use of type-safe parameters.
• Use of over-privileged database logins.
• Use stored procedures for database access
• Isolate the web server
• Configure error reporting

SQL Injection Prevention Plan

To counter SQL injection attacks, we need to:

• Check for query string malfunction, border values and data types.
• Constrain and sanitize input data. Check for known good data by validating for type, length, format, and range.
• Verify SQL Username & Password strength and users permission granted.
• Verify and cross check Stored Procedure input types and permission granted.
• Use type-safe SQL parameters for data access. Implement these constraints in stored procedures or dynamically constructed SQL command strings.
• Create and verify SQL User account which would have restricted permissions in the database. Only grant execute permissions to selected stored procedures in the database and provide no direct table access.
• Avoid disclosing database error information. Verify and cross check with disclosing detailed error messages to the user.
• As seen from many of examples, the majority of injection attacks require single quotes to terminate an expression. So to avoid it Implement Functions and routines to escape quotes.
• Rectify each query string with input and parameters and avoid culprit characters/ character sequences by user defined functions. By removing these characters and character sequences from user input before building a query, we could reduce the chances of an injection attack even further.
• Verify genuine lengths of user input and limit it to a fixed variable. It's no good having a text box on a form that can accept 50 characters if the field only accept 10. By keeping all text boxes and form fields as short as possible.