For an introduction to SQL Injection (SQLi), see the article entitled “What is SQL Injection (SQLi) ?”
As is the case in many security-related domains, preventing SQL Injection (SQLi) is accomplished through a combination of defensive measures, rather than a single counter-measure.
Preventing SQL Injection
The following strategies are prioritized in terms of the degree of protection afforded, although we would urge you to consider them all “must dos”:
- Perform Input Validation: It is essential that the application aggressively validate untrusted input (i.e. input that has not been previously validated) and reject inputs that do not meet the expectations of the application. The preferred approach, termed “whitelist validation” refers to an implementation in which the application verifies inputs are consistent with its requirements.
- Universally Use Prepared/Parameterized Statements: All major database access libraries support the ability to define SQL statements with “placeholders” that are subsequently programmatically populated with values using type-specific binding functions. Dynamic SQL statements that contain untrusted inputs must be diligently avoided.
- Enforce of Least Privilege: Their should be a 1 to 1 correspondence between the roles and permissions supported by the application to the underlying database accounts being used by the application. That is, the database account utilized on behalf of the end-user by the application should not enjoy more privileges than the user does within the application. Ideally, there should be multiple database accounts with different privileges corresponding each role/permissions combination.
- Define a Custom Error Page: Most web-application frameworks such as J2EE, ASP .NET, PHP, etc. allow developers to define a page that will be displayed in the event an unhandled exception, such as might be raised by the database when presented with malformed SQL. This is the means by which developers prevent information leakage in the form of error messages.
For additional insight into detecting SQL Injection (SQLi) within applications, see the article entitled “How To Test For SQL Injection (SQLi)“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.