SQL Injection Prevention

  • Filter
  • Time
  • Show
Clear All
new posts

    SQL Injection Prevention

    SQL Injection and Ways to Prevent it............

    SQL INJECTION ! ! ! What is It ? ? ? How to Prevent it

    You might be thinking what is SQL injection or how it occurs and how to prevent it ?
    So here's is the answer for your question!!!
    SQL Injection which can also be called as "Failure to Preserve SQL Query Structure" can be stated as one of the most frequent and most dangerous security issues that occurs. SQL injections are always dangerous because they act as a wide opened door for all hackers and allow them to connect to your system through your Web interface itself and edit whatever they would like to do such as delete tables, or modify databases. To be noted that the SQL injections are a programming error and they have nothing to do with the web hosting provider.

    Usually most of the time SQL injection risks arise when a programmer creates a dynamic database query, which contains user input. In such case there are two ways to prevent an SQL injection which are as follows:

    Don't write dynamic database queries
    Don't allow user input in your queries.
    Some more steps to prevent SQL injections are as follows:

    Using dynamic SQL only if absolutely necessary.

    It is always known that we can easily replace Dynamic SQL with some prepared statements, parameterized queries, or stored procedures. Just for instance say, in Java you can use PreparedStatement() with bind variables instead of dynamic SQL, in .NET you can use parameterized queries , such as SqlCommand() or OleDbCommand() with bind variables instead of dynamic SQL, and in PHP you can use PDO with strongly typed parameterized queries (using bindParam())instead of dynamic SQL .
    So it is mostly recommended to avoid using dynamic SQL and use it only if absolutely necessary.
    Turn OFF magic quotes.

    Turning OFF magic_quotes_gpc variable, can prevent some of the SQL injection attacks.
    Installing patches regularly and on time.
    No matter if your code doesn't have SQL vulnerabilities,it is always recommend to install patches, especially SQL vulnerabilities patches, right after they become available to avoid future SQL Injections
    Removing all functionality that you don't use.

    Database servers are complex things and they have many more functionality than the one you need. We can take an example of the xp_cmdshell extended stored procedure in MS SQL which gives access to the shell and this is just what a hacker waits for. Hence you should disable this procedure and any other functionality, which can be easily misused.
    Using automated test tools for SQL injections.

    Even if your developers follow any of above rules and try their best to avoid dynamic queries with unsafe user input, you will still need to have a procedure to confirm this compliance. There are many automated test tools to check for SQL injections which we can download to avoid SQL Injection.
    Following these steps cannot stop the SQL Injection completely but it can fight against it and prevent it from happening if you follow it completely and conscientiously.....