Security Information and Review

Collection of security information and review

How to prevent SQL Injection Attacks

Author : Admin

This article will show a number of ways to protect web application from SQL Injection Attacks. SQL Injection attacks occur when an application uses input from user that has not been check to see that it’s valid text. So, SQL Injection attacks take advantage of code that does not filter input that is being entered user directly into a form and application that take direct user input then generate SQL Command that execute via back end code. SQL Injection Attacks of web application events that occur most frequently is login form that accepts user name and password as authentication of system.
There are some methode to preventing SQL Injection Attacks :

 

Constrain, Cleaning and Sanitize
Constrain, cleaning and sanitize input data in form of web application. Use procedure to check and validating data for type, length, format and range. In many web applications, the programmer have not procedure to check and validating input. For example, the potential use of the apostrophe as away to get access to system, so make sure to use string replace or sanitized that it’s not use to attack system with SQL Injection. Other methode is a setting maximum length on input field to disallow user / client from entering complex SQL Command.

 

Use parameterized queries and store procedure
Using store procedure can not prevent SQL Injection Attacks if it’s not use parameter. The important to do is use store procedure with parameter. If we do not use parameters, stored procedures can be susceptible to SQL injection if they use unfiltered input.

 

Use parameters with dynamic SQL
If we cannot store procedure with parameters in our web application, we should still use parameters when constructing dynamic SQL statements. It’s one methode to prevent SQL Injection Attacks.

 

Limitation Display Error Message
Ensure web server provide very little information to the user when an error occur. If there is database access failure make sure web server don’t dump out or display to client. If we want to debug application, don’t use server production / live server.

 

Limitation Permission Account Database
Use a least previleged database account that it is used to connect database server of web application. Instead, create a new user account of database server that contains only the permissions required by web application and don’t set as the top level administrator. For example, in the front end of a web application that only reads data from the database, use an account that only has select permission.

 

Turn On Magic Quotes
Turn on Magic Quotes, if we use PHP as server side scripting and PHP Server. In PHP configuration referred as the magic_quotes_gpc. With turn on magic quotes, it’s will automatically escape quotes as part of query and treat is just like any other character. This is automatically done for any HTTP request data including POST, GET, COOKIE. So magic quotes can not stop all SQL Injection Attacks. Data passed into SQL Statement from database of files not filtered and thus can be manipulated to become an SQL Injection attack. For example in PHP Script to check and clean input field can be done by checking wheter magic quotes is on with function get_magic_quotes_gpc(), if it’s return false, we can add escape quotes and special character manually with simple function addslashes().

 

Encrypting Data
Encrypting sensitive data, field such as password and other secret data must be ecrypted that attacker can not any secret information from web application. For items such as passwords, the user’s password can be stored as a “salted hash”. What happens is that when a user creates a password, a randomly generated “salt” value is created by the application and appended to the password, and the password-and-salt are then passed through a one way encryption routine, such found in PHP, SHA1, MD5 and others function.

 

The best methode to preventing SQL Injection attacks of web application is combination of all solutions above. I hope this article can be usefull and provide a benefit to all visitor, special for all my friends.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
Thanks for writing, I truly liked reading your most recent post. I think you should post more often, you obviously have talent for blogging!
29 May 09 at 09:44
The article is usefull for me. I’ll be coming back to your blog.
15 June 09 at 13:08
thanks for your visit, hopefully this article can be useful for all of us.
18 June 09 at 11:36
If you like this posts, please leave messages / comments.