• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here:Home » How to Prevent SQL Injection

By Abhishek Ghosh September 7, 2021 7:10 pm Updated on June 6, 2022

How to Prevent SQL Injection

Advertisement

SQL injection is the exploitation of a vulnerability related to SQL databases. The vulnerability is usually caused by a programming bug in a program that accesses the database. Due to this programming error, an attacker can inject database commands and, depending on the individual case, read further data from the database, change or delete data without authorization or even take control of the entire database server. Relational database management systems (RDBMS) such as Oracle, MySQL and Microsoft SQL Server are popular in the market as they are considered as reliable and avoid inconsistencies in the data sets, they have been set as the established standard for databases in most companies for decades. But, SQL injection is one of the common types of attacks on databases via web applications, so it is important to learn how to protect your business. Successful exploitation of a SQL injection requires:

  1. A SQL database, for example MySQL, Microsoft SQL Server, Db2
  2. An application program in which attackers can enter data, such as a login, a product search in an online shop or a contact form on the web
  3. The application can forward the data to the database
  4. A programming error in the application program when passing the data
  5. The programming error is that the application program does not pass on the input data to the database as pure data, but generates the database query from this data. This allows an attacker to attempt to target parts of the database query.

In the database query language SQL, some characters have a special meaning, in particular:

  • the apostrophe enclose text data
  • the quotation mark to enclose text data (some databases only)
  • the backslash so as not to interpret the following character as a special character
  • the semi-colon to separate a database command from the next database command
  • a double hyphen to ignore the rest of the line (comment)

An attacker uses these characters specifically to carry out the attack. To run queries and edit the data in the database, Structured Query Language (SQL) is usually used.

Advertisement

---

 

How SQL Injection Usually Happens

 

For example, a webshop product search Server, run queries in a database and returns the results to the webshop as a search result. The stored information is vulnerable to so-called SQL injection, which injects arbitrary code into database queries. Attackers can also modify cookies to infect the query of the web application. The same is possible via server variables such as HTTP headers. Fake headers containing any SQL can inject this code into the database if the web application does not clean up this input either.

 

How to Prevent SQL Injection

 

To prevent SQL injections, user-entered data must not be readily incorporated into a SQL statement. Input data can be checked for the properties of expected values. However, the safest way is to keep the data away from the SQL interpreter at all. You can do without cutting the input. The technique for this are bound parameters in Prepared Statements. The data is passed as a parameter to an already compiled command. The data is thus not interpreted and SQL injection is prevented. Stored procedures, on the other hand, do not provide general protection against SQL injection, especially if the SQL code of the function is not known.

However, security precautions can also be taken on the database server-side. For example, the users with whom a Web application authenticates to the database server should have only the privileges that it needs. Thus, at least some of the possible attacks can become ineffective. An SQL Server performance monitor can be a helpful tool.

If a web server operator has no control over the applications, the use of Web Application Firewalls (WAF) can at least partially prevent SQL injection vulnerabilities from being exploited. Regardless of the control over the applications, an operator of a web server can additionally increase security through the targeted use of a WAF, since many WAFs offer not only defensive but also prophylactic measures.

It is not difficult to rebuild existing programs in such a way that SQL injections are no longer possible. The main problem of most programmers is a lack of knowledge about these types of attacks. In PHP, the PHP Data Objects library is available for database access.

Example without Prepared Statement:

Vim
1
2
$dbh->exec("INSERT INTO REGISTRY (name, value)
            VALUES (".$dbh->"($name,PDO::PARAM_STR).", ".$dbh->"($value,PDO::PARAM_INT).")");

Example with Prepared Statement:

Vim
1
2
3
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

    1. Use input validation and filtering for user-submitted data. This will help to prevent dangerous character injections.
    2. It is safe to use prepared statements, or stored procedures and avoid dynamic SQL
    3. Update regularly
    4. Patch regularly
    5. Monitor SQL statements with tools (like Stackify)
    6. Use a web application firewall
    7. Limit privilage of the MySQL users (grant all not always required, you can test with different levels of privileges)
    8. Offload comment, search etc to third party server
    9. Consider to deactivate pingback, trackback functions in web applications
    10. Block port 3306
How to Prevent SQL Injection

A comprehensive and detailed description of all relevant protective measures can be found in the SQL Injection Prevention Cheat Sheet from OWASP. If there is a loophole despite cleaning effort, it is necessary to restrict the privileges of database users. Commands such as “DROP TABLES”, should not be executable in a web application with a high risk of attack.

Sqlmap is a tool which you can use to test your database. You can remove strings with Apache web server.

As for WordPress, new vulnerabilities are discovered each day. Use reputed plugins and avoid using null themes. Who has nulled the costly theme likely has worse money making idea.

Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to How to Prevent SQL Injection

  • Nginx WordPress Installation Guide (All Steps)

    This is a Full Nginx WordPress Installation Guide With All the Steps, Including Some Optimization and Setup Which is Compatible With WordPress DOT ORG Example Settings For Nginx.

  • WordPress & PHP : Different AdSense Units on Mobile Devices

    Here is How To Serve Different AdSense Units on Mobile Devices on WordPress With PHP. WordPress Has Function Which Can Be Used In Free Way.

  • SQL Injection : What is SQL Injection and What Actually Happens

    SQL Injection is the exploitation of a vulnerability in the context of SQL databases, through the lack of masking or review of meta results in user input.

  • Changing Data With cURL for OpenStack Swift (HP Cloud CDN)

    Changing Data With cURL For Object is Quite Easy in OpenStack Swift. Here Are Examples With HP Cloud CDN To Make it Clear. Official Examples Are Bad.

performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • How to Restrict Certain Posts or Categories In WordPress by CountryJune 6, 2023
  • Influence of Digitization on Procurement : Part 1June 6, 2023
  • How We Can Show Apple Icon, Windows Logo on Website TextJune 5, 2023
  • What is Google Bard? How it WorksJune 5, 2023
  • How to Create a PHP Installer Script to Create Tables in MySQL DatabaseJune 4, 2023
PC users can consult Corrine Chorney for Security.

Want to know more about us?

Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT