preventing sql injection attack

Best practices for preventing SQL Injection attack

What is SQL injection?

SQL Injection is a technique that uses code injection and can modify, alter or even destroy your databases. This attack is considered as one of the most common techniques of web hacking and is widely used. SQL Injection basically injects malicious code inside a SQL query using input fields available on the web page.

An SQL injection attack is caused by a common programming error and can cause a lot of trouble. Many hackers start discovering vulnerabilities from input fields by using SQL injection attacks.

Here is the list of things a developer should implement while developing a website to tackle the SQL injection attack.

5 strategies every developer should implement for preventing SQL Injection

1. Limit the use of dynamic queries

However, if you stop using dynamic queries, then the sites you can create will be very static. No one uses static websites nowadays, so limiting the use of dynamic queries can be the solution for preventing SQL injection attacks. using parameterized queries can be useful.

Parameterized queries developer needs to define all SQL code, and then pass each parameter to the query later. This enables the database to distinguish between code and data, without depending on what the input is.

language-specific queries:-

  • Java EE – use PreparedStatement() with bind variables.
  • Hibernate – use createQuery() with bind variables (called named parameters in Hibernate).
  • SQLite – use sqlite3_prepare() to create a statement object.
  • .NET – use parameterized queries like SqlCommand() or OleDbCommand() with bind variables.
  • PHP – use PDO with strongly typed parameterized queries (using bindParam()).

2. Validate input on the server-side

Validation is the process of making sure only properly formed data is entering the workflow in an information system, and stop the malicious or malformed data from getting inside the database. This should happen as soon as the data is entered by the user.

In PHP use following

mysql\_real\_escape\_string()

This simple modification will stop attacks containing character (\) in front of the single quotes that were intentionally added by the hacker. client-side validation is good but having server-side input validation will ensure you more security.

Read full article

OWASP Top 10 Vulnerability and preventions.
These are very important from the point of view of your website. Do check if you have some vulnerabilities in your website.

Read article

3. Turn off magic quotes

This method can help to stop some SQL injection attacks. Unfortunately, this is not a very reliable method but can be used to prevent some attacks. In any case, you need to have code to substitute quotes with slashes. Here is the simplest way to do it:

if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);
}

4. Store database credentials in a different file

This will ensure that even if the database is compromised hackers cannot gain a lot of information through it. and can reduce the damage. So get all database credentials in a different file.

5. Use list privilege

Give only needed privilege to users, don’t give whole database access. as it will ensure hacker cannot get admin like privileges, so he or she won’t benefit much.

Have a comment on this SQL Injection cheat sheet? Please click “Add Your Comment” below. If you’d like to contact cybercrip’s editors directly, send us a message.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

ransomware
What Ransomware is all about?
cyberbullying
Cyberbullying​: A type of cybercrime​.
website security
7 Ideas for your website security
various important devices associated with cloud interface, and how important it is to secure those.
Cloud security: 5 major challenges and preventions