Tip

Preventing and stopping SQL injection hack attacks

Web developers often use custom code to power dynamic website functionality, but this code can put Web servers at risk to numerous vulnerabilities and flaws, which are especially dangerous when using Web applications to provide an interface to a back-end database. In this tip, learn about SQL injections,

    Requires Free Membership to View

    Login

one particular type of attack against database-driven applications. Learn how an SQL injection hack attack works and get several tips, tricks and best practices for preventing, avoiding and stopping SQL injection attacks.

For more information:
Automated SQL injection worms use search engines to filter through vulnerable Web servers. In this tip, Patrick Szeto explains how to find and stop SQL injections.

If your site uses a SQL server, then it is probably vulnerable to some form of SQL injection. Expert Richard Brain explains how to strengthen database defenses.
How do SQL injection attacks work?
Attackers gain access to Web applications through SQL injection by adding Structured Query Language (SQL) code to a Web forum input box in the form of an SQL query, which is a request for a specific action to be performed on a database. Typically, during user authentication a username and password are entered and inserted into a query. The user is then either granted or denied access, depending on if the correct information was submitted. Web forums typically don't have any means to block input other then usernames and passwords, meaning a hacker can perform an SQL injection attack by using input boxes to send requests to the database, possibly granting them access.

Preventing and avoiding SQL injection hack attacks
There are several steps every organization can take to reduce the likelihood of falling victim to a SQL injection attack:

• Limit user access privileges: Only give employees and users the ability to access to information that they need in order to perform their jobs.

• Ensure employee security awareness: Make sure that employees who have a hand in website development (as well as dedicated Web developers) are aware of the SQL injection threat and know best practices to keep your servers safe.

• Reduce debugging information: When a Web server experiences an error, make sure details of the error aren't displayed to the user, since this information could help a hacker commit malicious activity and gain the information he or she needs to successfully attack the server.

• Test Web applications: Test Web applications and check Web developers work by sending data through the Web server; if the result is an error message, the application might be susceptible to an SQL injection attack.


WEB APPLICATION ATTACK SECURITY

  Introduction: Web application security
  How to stop buffer-overflow attacks
  Prevent cross-site scripting hacks
  Stopping SQL injection hack attacks
  Distributed denial-of-service protection
 

This was first published in January 2010

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top