How do I protect my web site from an SQL injection attack?

chinmay.sahoo

New member
An SQL injection attack occurs when an attacker exploits a legitimate user input mechanism on your site to send SQL code that your unsuspecting script passes on to the database for execution. The golden rule for avoiding SQL injection attacks is: escape all data from external sources before letting it near your database. That rule doesn’t just apply to INSERT and UPDATE queries, but also to SELECT queries .
 
Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database.

This can be accomplished in a variety of programming languages including Java, .NET, PHP, and more.

Please consult the following resources for implementing parameterized database queries and preventing SQL Injection in your code base:

OWASP Guide to SQL Injection (link is external)
OWASP SQL Injection Prevention Cheat Sheet (link is external)
Additionally, developers, system administrators, and database administrators can take further steps to minimize attacks or the impact of successful attacks:

Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors.
Utilize the principle of least privilege (link is external) when provisioning accounts used to connect to the SQL database. For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site's database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges. In many cases, these privileges can be managed using appropriate database roles for accounts. Never allow your web application to connect to the database with Administrator privileges (the "sa" account on Microsoft SQL Server, for instance).
Do not use shared database accounts between different web sites or applications.
Validate user-supplied input for expected data types, including input fields like drop-down menus or radio buttons, not just fields that allow users to type in input.
Configure proper error reporting and handling on the web server and in the code so that database error messages are never sent to the client web browser. Attackers can leverage technical details in verbose error messages to adjust their queries for successful exploitation.
 
Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors.
Utilize the principle of least privilege (link is external) when provisioning accounts used to connect to the SQL database. For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site's database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges. In many cases, these privileges can be managed using appropriate database roles for accounts. Never allow your web application to connect to the database with Administrator privileges (the "sa" account on Microsoft SQL Server, for instance).
Do not use shared database accounts between different web sites or applications.
Validate user-supplied input for expected data types, including input fields like drop-down menus or radio buttons, not just fields that allow users to type in input.
Configure proper error reporting and handling on the web server and in the code so that database error messages are never sent to the client web browser. Attackers can leverage technical details in verbose error messages to adjust their queries for successful exploitation.


Deliver2inbox
 
Back
Top