What is SQL injection and how to prevent SQL injection?

Information, 25 Oct 2016, 03:23pm GMT

A Structured Query Language (SQL) is the command-and-control language for relational databases such as Microsoft SQL Server, Oracle and MySQL. In modern web development, these databases are used as back end of web applications and content management systems. That means, both content and behavior of many websites is built on data in a database server.



A successful attack on the database that drives a website or web application can potentially give a hacker a broad range of powers, from modifying web site content to capturing sensitive information such as account credentials or internal business data. SQL Injection attack attack sends malicious commands to the database by sneaking through unauthorized channels. It comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.


There are two main types of SQL injection attacks. First - attacks are when the attacker receives the desired result immediately, either by direct response from the application they are interacting with or some other response mechanism, such as email. Second - attacks are when the attacker injects some data that will reside in the database, but the payload will not be immediately activated.


Recently, SQL injection has become a popular choice for hackers, used in attacks against Sony Pictures, PBS, Microsoft, Yahoo, LinkedIn, and the CIA.


The primary defenses that are used to prevent SQL injection attacks -

1. Prepared Statements - Parameterized queries force developers to define all the SQL code, then pass in each parameter to the query, which allows the database to distinguish between code and data, regardless of what input is supplied.


2. Escaping all User Supplied Input - Each DBMS supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities.


3. Use a web application firewall - A popular example is the free, open source module ModSecurity which is available for Apache, Microsoft IIS, and nginx web servers. ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests. Its SQL injection defenses can catch most attempts to sneak SQL through web channels.


4. Stored Procedures - A stored procedure is defined and stored in the database itself, and then called from the application rather than something that a user is allowed to enter.


5. Least Privilege - Minimizing the privileges assigned to every database account, so that users have enough permission to do their job, but no more.


6. Suppress error messages - Error messages are an important reconnaissance tool for attackers, so keep them local if possible. If external messages are necessary, keep them generic.


Any one of these defenses significantly reduces the chances of a SQL injection attack. Implementing all of them will provide a high degree of SQL injection prevention. So, have you ever experienced an SQL Injection attack at your organization? How did your organization combat the attack - please share in the comment section