SQL Injection
What is it? Why it is a problem? and how to combat it
Links
Home

Structured Query Language (SQL) is used to query, operate and administer databases systems such as Microsoft SQL Server, Oracle, or MySQL. What is a database? A database is just a collection of data. Database systems are commonly used to provide backend functionality to many types of web applications.


SQL Injection attacks consist of insertion of "injection" of a SQL query via the input data from the client to the application. How does SQL Injection happen? User-supplied data is often used to dynamically build SQL statements that interact directly with a database. A SQL injection attack is when SQL is attacked, that is aimed at subverting the original intent of application by submitting user attacker- SQL statements, which go directly to the backend database.


If you haven't guessed by now, that is very bad! The ramifications of a successful SQL injection attack can range from authentication bypass, information disclosure, and compromised data integrity, compromised availability of data, and remote command execution. (Below I will sum of what each of these means:)


  • Authentication Bypass: Allows the attacker to bypass the application credentials, without supplying a valid username and password.
  • Information Disclosure: Allows the attacker to access information, either directly or indirectly.
  • Compromised Data Integrity: Attacker can change or deface a web page or add malicious content to sites.
  • Remote Command Execution: Allows the attacker to compromise the host operating system.

    • SQL Injection can cause havoc to a database, however they're two complementary and successful methods for mitigating SQL Injection attacks. Parameterized queries using bound and careful use of parameterized stored procedures.


    The first one is to parameterize queries using bound, (typed parameters). What does that mean? That pretty much means, "don't keep all your eggs in one basket" keep the query and data separate through the use of placeholders, (aka "bound") parameters.


    The second way, careful use of parameterized stored procedures, is an effective mechanism to avoid most forms of SQL Injection. In combination with parameterized bound queries, it is very unlikely that SQL injection will occur within your application.


    Some good things to keep in mind:


    • Always use accounts with the minimum privilege necessary for the application at hand, never "sa","dba","admin" or the equivalent.
    • Avoid using dynamic table names if possible
    • If you have a dynamic table name, do NOT accept them from the user
© Jay C Davè