CuriousPost

Empowering Curious Minds!

What is SQL Injection and How To Prevent It?

by · Published · Updated

What is Sql injection

SQL injection is a type of web application security vulnerability in which an attacker is able to submit database SQL command which is executed by web applications exposing the back-end database. SQL injection is one of the most prevalent types of web application security vulnerabilities.

In this technique malicious users can inject SQL commands into an SQL statement, via web page input. Injected SQL commands can alter SQL statement and compromise the security of a web application. By exploiting SQL injection flaw attackers can create, read, modify or delete sensitive data.

Are you vulnerable?

You may be vulnerable to SQL injection if:

  • Data entered by users is sent to the SQL interpreter as a part of a SQL Query.
  • Input isn’t validated.
  • Attacker exploits a software vulnerability to provide malicious input data which is executed by the web app.
  • You have vulnerabilities at the database layer.

How to prevent SQL injection?

  • Adopt an input validation technique whereby user input is checked against business rules and a set of definite rules for length, type and syntax.
  • Ensure that users with permission to access the database have the least privileges.
  • Do not use system administrator account like ‘sa’ for web applications.
  • Create application specific database user accounts.
  • Remove all stored procedures not in use.
  • Uses strongly typed parameterized query APIs with placeholder substitution markers even when calling stored procedure.

Example Code:

Here is a short example for SQL Injection code injected into databases. This is for educational purposes only.

//Vulnerable Code

String SQLQuery="SELECT Username, Password 
FROM users WHERE Username=""+Username+""
AND Password=""+password+"";

Statement stmt=connection.createStatement[];
ResultSet rs=stmt.executeQuery[SQLQuery];
While[rs.next[]]{...}

//Resulting Query

SELECT Username, Password FROM users 
WHERE Username='admin' AND
Password=" or'a'='a'

This type of code is injected into a website’s database using security flaws and code is executed remotely. In this way databases are compromised and attacked for data.

Want to add something, tell us in comments below. Don’t forget to share this article, and like our Facebook page to get such security updates directly to your NewsFeed.

Recommended:  USG 1.0: A Tiny USB Firewall To Protect Your Computer From Malware.

Share this article

Was this post helpful?

Tags:

Ganesh Venigalla

Geek, Passionate, Nerd for Tech!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

What is SQL Injection and How To Prevent It?

by Ganesh Venigalla time to read: 1 min
Linux Holding Enter for 70 Seconds Will Let You Take Dow…
Security How to Protect Your Social Media Accounts from Hac…
0