Attackers gain access to Web applications through SQL injection by adding Structured Query Language (SQL) code to a Web forum input box in the form of an SQL query, which is a request for a specific action to be performed on a database. Typically, during user authentication a username and password are entered and inserted into a query. The user is then either granted or denied access, depending on if the correct information was submitted. Web forums typically don't have any means to block input other then usernames and passwords, meaning a hacker can perform an SQL injection attack by using input boxes to send requests to the database, possibly granting them access.
Preventing and avoiding SQL injection hack attacks
There are several steps every organization can take to reduce the likelihood of falling victim to a SQL injection attack:
• Limit user access privileges: Only give employees and users the ability to access to information that they need in order to perform their jobs.
• Ensure employee security awareness: Make sure that employees who have a hand in website development (as well as dedicated Web developers) are aware of the SQL injection threat and know best practices to keep your servers safe.
• Reduce debugging information: When a Web server experiences an error, make sure details of the error aren't displayed to the user, since this information could help a hacker commit malicious activity and gain the information he or she needs to successfully attack the server.
• Test Web applications: Test Web applications and check Web developers work by sending data through the Web server; if the result is an error message, the application might be susceptible to an SQL injection attack.
WEB APPLICATION ATTACK SECURITY
Introduction: Web application security
How to stop buffer-overflow attacks
Prevent cross-site scripting hacks
Stopping SQL injection hack attacks
Distributed denial-of-service protection
This was first published in January 2010