What is SQL Injection and How To Prevent It?
SQL injection is a type of web application security vulnerability in which an attacker is able to submit database SQL command which is executed by web applications exposing the back-end database. SQL injection is one of the most prevalent types of web application security vulnerabilities.
In this technique malicious users can inject SQL commands into an SQL statement, via web page input. Injected SQL commands can alter SQL statement and compromise the security of a web application. By exploiting SQL injection flaw attackers can create, read, modify or delete sensitive data.
Are you vulnerable?
You may be vulnerable to SQL injection if:
- Data entered by users is sent to the SQL interpreter as a part of a SQL Query.
- Input isn’t validated.
- Attacker exploits a software vulnerability to provide malicious input data which is executed by the web app.
- You have vulnerabilities at the database layer.
How to prevent SQL injection?
- Adopt an input validation technique whereby user input is checked against business rules and a set of definite rules for length, type and syntax.
- Ensure that users with permission to access the database have the least privileges.
- Do not use system administrator account like ‘sa’ for web applications.
- Create application specific database user accounts.
- Remove all stored procedures not in use.
- Uses strongly typed parameterized query APIs with placeholder substitution markers even when calling stored procedure.
Example Code:
Here is a short example for SQL Injection code injected into databases. This is for educational purposes only.
//Vulnerable Code String SQLQuery="SELECT Username, Password FROM users WHERE Username=""+Username+"" AND Password=""+password+""; Statement stmt=connection.createStatement[]; ResultSet rs=stmt.executeQuery[SQLQuery]; While[rs.next[]]{...} //Resulting Query SELECT Username, Password FROM users WHERE Username='admin' AND Password=" or'a'='a'
This type of code is injected into a website’s database using security flaws and code is executed remotely. In this way databases are compromised and attacked for data.
Want to add something, tell us in comments below. Don’t forget to share this article, and like our Facebook page to get such security updates directly to your NewsFeed.