SQL INJECTION-A deadly security hole

Why is SQL Injection?

The following reasons have made the famous name of SQL Injection:

Photo by Clear Cannabis on Unsplash

Consequences of SQL Injection

The biggest consequence that SQL Injection causes are: Disclosure of data in the database. Depending on the importance of the data, the consequences can range from mild to extremely severe.

How does a SQL Injection attack look like?

The SQL Injection mechanism is straightforward. We often use SQL statements to access data. Suppose, to find the user login; we usually write the following code:

Prevention

Fortunately, although SQL is very dangerous, it is also easy to prevent. Recently, we hardly write pure SQL and use the ORM (Object-Relational Mapping) framework. These web frameworks generate their own SQL statements, making it harder for hackers to attack.
However, many sites still use plain SQL for data access. This is a delicious bait for hackers. To protect ourselves against SQL Injection, we can take the following measures.

  • Filter data from users: This prevention is similar to XSS. We use filter to filter the special characters (; ”‘) or keywords (SELECT, UNION) entered by the user. Should use the library/function provided by the framework.
  • Rewriting from scratch is both time-consuming and easy to miss.
  • Do not add strings to create SQL: Use parameters instead of adding strings. If the input data is not legal, SQL Engine will automatically report an error; we don’t need to use code to check.
  • Do not display exceptions, error messages: Hackers rely on error messages to find the database structure. When there is an error, we only show the error message, but do not display enough information about the error, avoiding hackers to take advantage of it.
  • Clear authorization in the DB: If only accessing data from some tables, create an account in the DB, assign access to that account, not use root or sa account. Even if the hacker injected SQL could not read data from the main tables, edit or delete data.
  • Backup data regularly: The tools have a saying “be careful not to worry”. Data must be backed up regularly so that it can still be restored if a hacker erases it. If even the backup data is also deleted… congratulations, update your CV and find a way to move your company!
Photo by Markus Spiske on Unsplash

Conclude

Data is one of the “most valuable” things on your website. After reading this article, check your page can be subject to SQL injection or not, then apply the methods I have instructed to fix.

Reference

http://www.w3schools.com/sql/sql_injection.asp
https://www.guru99.com/learn-sql-injection-with-practical-example.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Beribey

Beribey

40 Followers

Always be nice to anybody who has access to my toothbrush.