informa
Announcements
Event
Emerging Cybersecurity Technologies: What You Need to Know - A Dark Reading March 23 Virtual Event | <GET YOUR PASS>
Report
Black Hat USA 2022 Attendee Report | Supply Chain & Cloud Security Risks Are Top of Mind | <READ IT NOW>
PreviousNext
Risk
2 MIN READ
News

Tech Insight: SQL Injection Demystified

Attackers are using the old standby SQL injection en masse -- a look at the attack and how to protect your applications from it
Dark Reading Staff
Dark Reading
August 21, 2009
The purpose behind the first two defensive approaches is to stop using dynamic SQL queries that accept user input. Instead, developers use prepared SQL statements that take the user's input as parameters, preventing an attacker from modifying the functionality of the SQL statement. The difference between parametrized queries and stored procedures is that the first is part of the application, while the latter lives in the database and is called by the application.

The third primary defense is to escape all user input, and according to the OWASP guide, this approach can be implemented within existing applications "with almost no effect on the structure of the code." In other words, if rewriting existing SQL statements as prepared statements or stored procedures is scary to your developers, escaping user input is the easy way out while still providing protection.

As added layers of defense that keep with good secure application coding practices, least privilege access should be enforced and all user input should be validated using a whitelist of valid input. For example, if the application only needs to read data from the database and only looks at fields containing numbers 1 through 9, then the database user account used by the application should only have read access to the tables necessary for the application to function. User input should be filtered to only allow numbers 1 through 9. While that sounds like common sense, it's a often common mistake by application developers.

Meanwhile, when you investigate a SQL injection attack, the most important thing is to have logging in place for the Web, application, and database servers. Having logs that show the attack request can help you understand exactly what the attacker was doing, while logs from the database server can indicate whether or not the attack was successful.

And having someone available who knows the application inside and out is very important. They can answer questions about what would happen if this query were successful, and whether or not the account used by the database would have privileges to do whatever the attacker was attempting. This is where having a good relationship between the security team and the developers is extremely important.

It is an easy vulnerability to exploit and tools exist that make it easy enough that practically anyone can do it, but with a little effort, companies can prevent the attacks if they follow the basic defense options recommended by OWASP.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Application Security
More Insights
White Papers
More White Papers
Webinars
More Webinars
Reports
More Reports
Editors' Choice
Microsoft Outlook Vulnerability Could Be 2023's 'It' Bug
Nathan Eddy, Contributing Writer, Dark Reading
Chinese Warships Suspected of Signal-Jamming Passenger Jets
Tara Seals, Managing Editor, News, Dark Reading
ChatGPT Gut Check: Cybersecurity Threats Overhyped or Not?
Becky Bracken, Editor, Dark Reading
CISA Warns on Unpatched ICS Vulnerabilities Lurking in Critical Infrastructure
Jai Vijayan, Contributing Writer, Dark Reading
Webinars
More Webinars
Reports
More Reports
White Papers
More White Papers
Events
More Events
More Insights
White Papers
More White Papers
Webinars
More Webinars
Reports
More Reports