8 Ways to Prevent SQL Injection

SQL injection targets the back-end database, allowing hackers to create, delete, modify or read sensitive data. The consequences of such a breach are varied, depending on the motivation behind the attack. Regardless of whether a hacker is attempting to expose sensitive data or on a mission to cause serious consequences, enterprises want to avoid being vulnerable to SQL injection. 

SQL injection is one of the most common methods used by hackers to gain unauthorized access to sensitive information. Even major brands such as Sony Pictures, Microsoft, Yahoo, LinkedIn—even the CIA—have been breached using SQL injection. Here are a few tips for protecting against this vulnerability.

1. Escaping and Filtering

Areas of user input, such as login screens and form fields, are often vulnerable to SQL injection. One way to protect against it is to properly escape and filter user input and special characters.

2. Avoid Displaying Syntax Errors and Other Database Information to Users

Error notifications often reveal sensitive database information to users. Avoiding the display of syntax errors and similar messaging protects the information stored in the database from outside or unauthorized access.

3. Limit Database Privileges

Create numerous user accounts with varying levels of database access, limiting user types to only the access necessary for functionality—not more. Giving users access to areas of a database they don’t require broadens the playing field for hackers in the event of an attack.

4. Avoid Executing Multiple Queries in One Statement

Each statement should execute a single query. Allowing multiple executions in a single statement leaves the door open for injections, adding complexity to the validation process.

5. Secure Input Validations

Input validation techniques which authenticate user input against pre-defined rules helps prevent the injection of unauthorized snippets. Validate input data for length, type, and syntax, as well as against your business rules.

6. Never Trust User Input

In addition to escaping and filtering, you should maintain a high level of distrust of any user-entered data. Not because you think all your users have malicious intent, but because you don’t know that malicious users aren’t masquerading as innocent users. Don’t allow inappropriate characters to be input for a phone number, for instance, or non-practical input for email addresses or user names. Sanitizing based on practical rules provides maximum protection against SQL injection.

7. Eliminate Unnecessary Database Functionality

Maintaining the existence of database functions that you don’t really need only broadens opportunities for SQL injection. Minimize your database usage to what you need to run your applications adequately.

8. Use a Web Application Firewall

Web application firewalls can be useful tools for detecting and blocking attempts to push SQL through web channels. Blocking SQL attempts at the firewall level even eliminates the limited hacks that can break through and access only a portion of your database if you’re using limited database privileges based on user context.

These eight tactics will help prevent your applications, and your users, from falling victim to potentially devastating SQL injection attacks. There are dozens of rules for maximizing your protection against SQL injection, but these eight rules serve as foundational principles that will help ensure security at the most basic application level.

Author Bio

Fergal Glynn is the Director of Product Marketing at Veracode, an award-winning application security company specializing in how to prevent a SQL injectionand other security breaches with effective risk assessment tools

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.