• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » How to Prevent SQL Injection

By Abhishek Ghosh September 7, 2021 7:10 pm Updated on June 6, 2022

How to Prevent SQL Injection

Advertisement

SQL injection is the exploitation of a vulnerability related to SQL databases. The vulnerability is usually caused by a programming bug in a program that accesses the database. Due to this programming error, an attacker can inject database commands and, depending on the individual case, read further data from the database, change or delete data without authorization or even take control of the entire database server. Relational database management systems (RDBMS) such as Oracle, MySQL and Microsoft SQL Server are popular in the market as they are considered as reliable and avoid inconsistencies in the data sets, they have been set as the established standard for databases in most companies for decades. But, SQL injection is one of the common types of attacks on databases via web applications, so it is important to learn how to protect your business. Successful exploitation of a SQL injection requires:

  1. A SQL database, for example MySQL, Microsoft SQL Server, Db2
  2. An application program in which attackers can enter data, such as a login, a product search in an online shop or a contact form on the web
  3. The application can forward the data to the database
  4. A programming error in the application program when passing the data
  5. The programming error is that the application program does not pass on the input data to the database as pure data, but generates the database query from this data. This allows an attacker to attempt to target parts of the database query.

In the database query language SQL, some characters have a special meaning, in particular:

  • the apostrophe enclose text data
  • the quotation mark to enclose text data (some databases only)
  • the backslash so as not to interpret the following character as a special character
  • the semi-colon to separate a database command from the next database command
  • a double hyphen to ignore the rest of the line (comment)

An attacker uses these characters specifically to carry out the attack. To run queries and edit the data in the database, Structured Query Language (SQL) is usually used.

Advertisement

---

 

How SQL Injection Usually Happens

 

For example, a webshop product search Server, run queries in a database and returns the results to the webshop as a search result. The stored information is vulnerable to so-called SQL injection, which injects arbitrary code into database queries. Attackers can also modify cookies to infect the query of the web application. The same is possible via server variables such as HTTP headers. Fake headers containing any SQL can inject this code into the database if the web application does not clean up this input either.

 

How to Prevent SQL Injection

 

To prevent SQL injections, user-entered data must not be readily incorporated into a SQL statement. Input data can be checked for the properties of expected values. However, the safest way is to keep the data away from the SQL interpreter at all. You can do without cutting the input. The technique for this are bound parameters in Prepared Statements. The data is passed as a parameter to an already compiled command. The data is thus not interpreted and SQL injection is prevented. Stored procedures, on the other hand, do not provide general protection against SQL injection, especially if the SQL code of the function is not known.

However, security precautions can also be taken on the database server-side. For example, the users with whom a Web application authenticates to the database server should have only the privileges that it needs. Thus, at least some of the possible attacks can become ineffective. An SQL Server performance monitor can be a helpful tool.

If a web server operator has no control over the applications, the use of Web Application Firewalls (WAF) can at least partially prevent SQL injection vulnerabilities from being exploited. Regardless of the control over the applications, an operator of a web server can additionally increase security through the targeted use of a WAF, since many WAFs offer not only defensive but also prophylactic measures.

It is not difficult to rebuild existing programs in such a way that SQL injections are no longer possible. The main problem of most programmers is a lack of knowledge about these types of attacks. In PHP, the PHP Data Objects library is available for database access.

Example without Prepared Statement:

Vim
1
2
$dbh->exec("INSERT INTO REGISTRY (name, value)
            VALUES (".$dbh->"($name,PDO::PARAM_STR).", ".$dbh->"($value,PDO::PARAM_INT).")");

Example with Prepared Statement:

Vim
1
2
3
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

    1. Use input validation and filtering for user-submitted data. This will help to prevent dangerous character injections.
    2. It is safe to use prepared statements, or stored procedures and avoid dynamic SQL
    3. Update regularly
    4. Patch regularly
    5. Monitor SQL statements with tools (like Stackify)
    6. Use a web application firewall
    7. Limit privilage of the MySQL users (grant all not always required, you can test with different levels of privileges)
    8. Offload comment, search etc to third party server
    9. Consider to deactivate pingback, trackback functions in web applications
    10. Block port 3306
How to Prevent SQL Injection

A comprehensive and detailed description of all relevant protective measures can be found in the SQL Injection Prevention Cheat Sheet from OWASP. If there is a loophole despite cleaning effort, it is necessary to restrict the privileges of database users. Commands such as “DROP TABLES”, should not be executable in a web application with a high risk of attack.

Sqlmap is a tool which you can use to test your database. You can remove strings with Apache web server.

As for WordPress, new vulnerabilities are discovered each day. Use reputed plugins and avoid using null themes. Who has nulled the costly theme likely has worse money making idea.

This Article Has Been Shared 452 Times!

Facebook Twitter Pinterest
Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to How to Prevent SQL Injection

  • Cloud Computing Articles : Compilation of Important Articles

    Cloud Computing articles compiles 750+ articles we have published so far up to date separating them in sub categories which can be helpful to any level of user.

  • LinkedIn Profile Badge using LinkedIn API Guide

    LinkedIn Profile Badge can be created using LinkedIn API . Here is step by step guide with tools needed for troubleshooting for successfully creating the badge.

  • Cloud Computing and Handling of Confidentiality of Personal Data

    Cloud Computing and Handling of Confidentiality of Personal Data is much important aspect as data must be protected to be accessed by unauthorized persons.

  • What is Elasticity in Cloud Computing

    Elasticity in cloud computing is the ability of this cloud to adapt to application needs as quickly as possible. There are several definitions according to the authors, some considering the concepts of scalability and elasticity as identical, others as distinct. The arrival of such distributed systems (see Distributed Calculation) inevitably leads to technical problems that […]

  • The Triad of Integrated Modeling

    The central success factor of a model is easy to name. It must provide as many answers as possible to questions in the area for which it was created. Sounds trivial, but is often not easy to implement. Models should provide answers. However, it becomes particularly complex if not only a domain such as classic […]

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (22.1K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • The Cost of Doing Business as a Handyman July 1, 2022
  • Samsung Galaxy S22 Ultra: Long Term Review June 30, 2022
  • How to Make the Most of Your S Pen (S22 Ultra) June 29, 2022
  • Safe Chargers for Samsung Galaxy S22 Ultra June 27, 2022
  • How Telecoms Can Use The Cloud To Power Their 5G Network June 24, 2022

About This Article

Cite this article as: Abhishek Ghosh, "How to Prevent SQL Injection," in The Customize Windows, September 7, 2021, July 2, 2022, https://thecustomizewindows.com/2021/09/how-to-prevent-sql-injection/.

Source:The Customize Windows, JiMA.in

This website uses cookies. If you do not want to allow us to use cookies and/or non-personalized Ads, kindly clear browser cookies after closing this webpage.

Read Privacy Policy.

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2022 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy