Tuesday, January 18, 2011

How to avoid SQL Injection:

What is SQL Injection?
An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input
SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn’t properly filter out dangerous characters. This can allow an attacker to not only steal data from your database, but also modify and delete it. Certain SQL Servers such as Microsoft SQL Server contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire machine. Attackers commonly insert single qoutes into a URL’s query string, or into a forms input field to test for SQL Injection. If an attacker receives an error message like the one below there is a good chance that the application is vulnerable to SQL Injection
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14′
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the
keyword ‘or’.
/wasc.asp, line 69
What is Blind SQL Injection?
When an attacker executes SQL Injection attacks sometimes the server responds with error messages from the database server complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application rather then getting a useful error message they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through sql statements.
Preventing SQL injection
To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parameterized statements must be used (preferred), or user input must be carefully escaped or filtered.
Enforcement at the database level
Currently only the H2 Database Engine supports the ability to enforce query parameterization. However, one drawback is that query by example may not be possible or practical because it’s difficult to implement query by example using parametrized queries.
Enforcement at the coding level
Using object-relational mapping libraries avoids the need to write SQL code. The ORM library in effect will generate parameterized SQL statements from object-oriented code.

No comments:

Post a Comment