What is SQL injection?
SQL Injection is a technique that uses code injection and can modify, alter or even destroy your databases. This attack is considered as one of the most common techniques of web hacking and is widely used. SQL Injection basically injects malicious code inside a SQL query using input fields available on the web page.
An SQL injection attack is caused by a common programming error and can cause a lot of trouble. Many hackers start discovering vulnerabilities from input fields by using SQL injection attacks.
Here is the list of things a developer should implement while developing a website to tackle the SQL injection attack.
5 strategies every developer should implement for preventing SQL Injection
1. Limit the use of dynamic queries
However, if you stop using dynamic queries, then the sites you can create will be very static. No one uses static websites nowadays, so limiting the use of dynamic queries can be the solution for preventing SQL injection attacks. using parameterized queries can be useful.
Parameterized queries developer needs to define all SQL code, and then pass each parameter to the query later. This enables the database to distinguish between code and data, without depending on what the input is.
language-specific queries:-
- Java EE – use
PreparedStatement()
with bind variables. - Hibernate – use
createQuery()
with bind variables (called named parameters in Hibernate). - SQLite – use
sqlite3_prepare()
to create a statement object. - .NET – use parameterized queries like
SqlCommand()
orOleDbCommand()
with bind variables. - PHP – use PDO with strongly typed parameterized queries (using bindParam()).
2. Validate input on the server-side
Validation is the process of making sure only properly formed data is entering the workflow in an information system, and stop the malicious or malformed data from getting inside the database. This should happen as soon as the data is entered by the user.
In PHP use following
mysql\_real\_escape\_string()
This simple modification will stop attacks containing character (\) in front of the single quotes that were intentionally added by the hacker. client-side validation is good but having server-side input validation will ensure you more security.
Read full article
OWASP Top 10 Vulnerability and preventions.
These are very important from the point of view of your website. Do check if you have some vulnerabilities in your website.
3. Turn off magic quotes
This method can help to stop some SQL injection attacks. Unfortunately, this is not a very reliable method but can be used to prevent some attacks. In any case, you need to have code to substitute quotes with slashes. Here is the simplest way to do it:
if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);
}
4. Store database credentials in a different file
This will ensure that even if the database is compromised hackers cannot gain a lot of information through it. and can reduce the damage. So get all database credentials in a different file.
5. Use list privilege
Give only needed privilege to users, don’t give whole database access. as it will ensure hacker cannot get admin like privileges, so he or she won’t benefit much.
Have a comment on this SQL Injection cheat sheet? Please click “Add Your Comment” below. If you’d like to contact cybercrip’s editors directly, send us a message.