what is SQL injection and how to prevent it

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from your database.  It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.
If inputs are not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.
SQL Injection: A Simple Example
Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.
When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user is allowed access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user is granted appropriate access.
Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.
The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity.

What Can Be Done to Prevent an SQL Injection

Here are some examples how to prevent  it:
  • Use dynamic SQL only if absolutely necessary.Dynamic SQL can almost always be replaced with prepared statements, parameterized queries, or stored procedures. For instance in PHP we can use PDO with strongly typed parameterized queries (using bindParam()).In addition to prepared statements, we can use stored procedures. Unlike prepared statements, stored procedures are kept in the database but both require first to define the SQL code, and then to pass parameters.
  • Escape user input.Escaping user input is less effective than parameterized queries and stored procedures but if parameterized queries and stored procedures can’t be used, escaping user input is still more than nothing.
  • Assume magic quotes is always off.When the magic_quotes_gpc variable is off, this can prevent some (but not all) SQL injection attacks. This is why it is necessary to have code for the substitution of quotes with slashes.
    $username = $_POST['username'];
    $password = $_POST['password'];
    if (!get_magic_quotes_gpc()) {
       $username = addslashes($username);
       $password = addslashes($password);
    }
  • Install patches regularly and timely.Even if your code doesn’t have SQL vulnerabilities, when the database server, the operating system, or the development tools you use have vulnerabilities, this is also risky. This is why you should always install patches, especially SQL vulnerabilities patches, right after they become available.
  • Remove all functionality you don’t use.Database servers are complex beasts and they have much more functionality than you need which can easily be misused.
  • Use automated test tools for SQL injections.Even if developers follow the rules above and do their best to avoid dynamic queries with unsafe user input, you still need to have a procedure to confirm this compliance. There are automated test tools to check for SQL injections and there is no excuse for not using them to check all the code of your database applications.One of the easiest tools (and a more or less a reliable one) to test SQL injections is the Firefox extension named SQL Inject ME. After you install the extension, the tool is available in the right-click context menu, as well as from Tools → Options. The sidebar of SQL Inject ME is shown in the next screenshot and as you can see there are many test you can run:

Comments

Popular posts from this blog

PHP / SQL Security – The Big Picture

PHP / SQL Security – SQL Commands and Non-String Variables

Top 50 Web Hacking Techniques