what is SQL injection and how to prevent it

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from your database.  It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.
If inputs are not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.
SQL Injection: A Simple Example
Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.
When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user is allowed access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user is granted appropriate access.
Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.
The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity.

What Can Be Done to Prevent an SQL Injection

Here are some examples how to prevent  it:
  • Use dynamic SQL only if absolutely necessary.Dynamic SQL can almost always be replaced with prepared statements, parameterized queries, or stored procedures. For instance in PHP we can use PDO with strongly typed parameterized queries (using bindParam()).In addition to prepared statements, we can use stored procedures. Unlike prepared statements, stored procedures are kept in the database but both require first to define the SQL code, and then to pass parameters.
  • Escape user input.Escaping user input is less effective than parameterized queries and stored procedures but if parameterized queries and stored procedures can’t be used, escaping user input is still more than nothing.
  • Assume magic quotes is always off.When the magic_quotes_gpc variable is off, this can prevent some (but not all) SQL injection attacks. This is why it is necessary to have code for the substitution of quotes with slashes.
    $username = $_POST['username'];
$password = $_POST['password'];
if (!get_magic_quotes_gpc()) {
   $username = addslashes($username);
   $password = addslashes($password);
}
  • Install patches regularly and timely.Even if your code doesn’t have SQL vulnerabilities, when the database server, the operating system, or the development tools you use have vulnerabilities, this is also risky. This is why you should always install patches, especially SQL vulnerabilities patches, right after they become available.
  • Remove all functionality you don’t use.Database servers are complex beasts and they have much more functionality than you need which can easily be misused.
  • Use automated test tools for SQL injections.Even if developers follow the rules above and do their best to avoid dynamic queries with unsafe user input, you still need to have a procedure to confirm this compliance. There are automated test tools to check for SQL injections and there is no excuse for not using them to check all the code of your database applications.One of the easiest tools (and a more or less a reliable one) to test SQL injections is the Firefox extension named SQL Inject ME. After you install the extension, the tool is available in the right-click context menu, as well as from Tools → Options. The sidebar of SQL Inject ME is shown in the next screenshot and as you can see there are many test you can run:

Comments

Post a Comment

Popular posts from this blog

How to call php functions inside smarty template directly

we can use {insert} tag for calling php functions inside smarty templates directly to display the output of the php function. it is similar to {include} tag except that {insert} tags are NOT cached when template caching is enabled. They will be executed on every invocation of the template. Remember all {insert} function names in your application must be prepended with “insert_” to remedy possible function name-space conflicts.so simply if your function is named as insert_getBanner, then call it inside {insert} tag as {insert name=”getBanner”} {* example of fetching a banner with agruments*} {insert name=”getBanner” lid=#banner_location_id# sid=#site_id#} Here we call a php function named as insert_getBanner with arguments lid and site_id so the php function must as like function insert_getBanner( $lid, $site_id) { ….. } we can use assign and script attributes to assign the output of insert tag to a variable and including a php script. more details can be found on http
Read more

Top 50 Web Hacking Techniques

This post will serve to collect new attack techniques as they are published. If you think something should be added, please comment below and I'll add them. "Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about actual new and creative methods of Web-based attack. The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work." Current 2011 List Bypassing Flash’s local-with-filesystem Sandbox Abusing HTTP Status Codes to Expose Private Information SpyTunes: Find out what iTunes music someone else has CSRF: Fla
Read more

PHP / SQL Security – The Big Picture

Web Security Whether your site is the web presence for a large multinational, a gallery showing your product range and inviting potential customers to come into the shop, or a personal site exhibiting your holiday photos, web security matters. After the hard work put in to make your site look good and respond to your users, the last thing you want is for a malicious hacker to come along, perform a PHP hack and break it somehow. There are a number of problems in web security, and unfortunately not all of them have definite solutions, but here we'll look at some of the problems that should be considered every time you set out to write a PHP script to avoid a PHP hack attack. These are the problems which, with well-designed code, can be eliminated entirely. Before looking in detail at the solutions, though, lets take a moment to define the problems themselves. SQL Injection In this attack, a user is able to execute SQL queries in your website's database. This attack is u
Read more