P { margin-bottom: 0.08in; direction: ltr; color: rgb(0, 0, 0); widows: 2; orphans: 2; }A:link { color: rgb(5, 99, 193); }

SQL injection targets the back-end

database, allowing hackers to create, delete, modify or read

sensitive data. The consequences of such a breach are varied,

depending on the motivation behind the attack. Regardless of whether

a hacker is attempting to expose sensitive data or on a mission to

cause serious consequences, enterprises want to avoid being

vulnerable to SQL injection.









SQL injection is one of the most

common methods used by hackers to gain unauthorized access to

sensitive information. Even major brands such as Sony Pictures,

Microsoft, Yahoo, LinkedIn—even the CIA—have been breached using

SQL injection. Here are a few tips for protecting against this

vulnerability.









Escaping and Filtering







Areas of user input, such as login

screens and form fields, are often vulnerable to SQL injection. One

way to protect against it is to properly escape and filter user input

and special characters.









Avoid Displaying Syntax

Errors and Other Database Information to Users







Error notifications often reveal

sensitive database information to users. Avoiding the display of

syntax errors and similar messaging protects the information stored

in the database from outside or unauthorized access.









Limit Database Privileges







Create

numerous user accounts with varying levels of database access,

limiting user types to only the access necessary for

functionality—not more. Giving users access to areas of a database

they don’t require broadens the playing field for hackers in the

event of an attack.









Avoid Executing Multiple

Queries in One Statement







Each statement should execute a

single query. Allowing multiple executions in a single statement

leaves the door open for injections, adding complexity to the

validation process.









Secure Input Validations







Input validation techniques which

authenticate user input against pre-defined rules helps prevent the

injection of unauthorized snippets. Validate input data for length,

type, and syntax, as well as against your business rules.









Never Trust User Input







In addition to escaping and

filtering, you should maintain a high level of distrust of any

user-entered data. Not because you think all your users have

malicious intent, but because you don’t know that malicious users

aren’t masquerading as innocent users. Don’t allow inappropriate

characters to be input for a phone number, for instance, or

non-practical input for email addresses or user names. Sanitizing

based on practical rules provides maximum protection against SQL

injection.







Eliminate Unnecessary

Database Functionality







Maintaining the existence of

database functions that you don’t really need only broadens

opportunities for SQL injection. Minimize

your database usage to what you need to run your applications

adequately.









Use a Web Application

Firewall







Web application firewalls can be

useful tools for detecting and blocking attempts to push SQL through

web channels. Blocking SQL attempts at the firewall level even

eliminates the limited hacks that can break through and access only a

portion of your database if you’re using limited database

privileges based on user context.









These eight tactics will help

prevent your applications, and your users, from falling victim to

potentially devastating SQL injection attacks. There are dozens of

rules for maximizing your protection against SQL injection, but these

eight rules serve as foundational principles that will help ensure

security at the most basic application level.









Author Bio







Fergal

Glynn is the Director of Product Marketing at Veracode, an

award-winning application security company specializing in how to prevent a SQL injection

and other security breaches with effective risk assessment tools















