Preventing and stopping SQL injection hack attacks

In this tip, which is a part of our Web Application Attack Security Guide, you will learn methods, tools and best practices for preventing, avoiding and stopping SQL injection hack attacks.

Web developers often use custom code to power dynamic website functionality, but this code can put Web servers at risk to numerous vulnerabilities and flaws, which are especially dangerous when using Web applications to provide an interface to a back-end database. In this tip, learn about SQL injections, one particular type of attack against database-driven applications. Learn how an SQL injection hack attack works and get several tips, tricks and best practices for preventing, avoiding and stopping SQL injection attacks.

How do SQL injection attacks work?

Attackers gain access to Web applications through SQL injection by adding Structured Query Language (SQL) code to a Web forum input box in the form of an SQL query, which is a request for a specific action to be performed on a database. Typically, during user authentication a username and password are entered and inserted into a query. The user is then either granted or denied access, depending on if the correct information was submitted. Web forums typically don't have any means to block input other then usernames and passwords, meaning a hacker can perform an SQL injection attack by using input boxes to send requests to the database, possibly granting them access.

More Information

  • Automated SQL injection worms use search engines to filter through vulnerable Web servers. In this tip, Patrick Szeto explains how to find and stop SQL injections.
  • If your site uses a SQL server, then it is probably vulnerable to some form of SQL injection. Expert Richard Brain explains how to strengthen database defenses.

Preventing and avoiding SQL injection hack attacks

There are several steps every organization can take to reduce the likelihood of falling victim to a SQL injection attack:

• Limit user access privileges: Only give employees and users the ability to access to information that they need in order to perform their jobs.

• Ensure employee security awareness: Make sure that employees who have a hand in website development (as well as dedicated Web developers) are aware of the SQL injection threat and know best practices to keep your servers safe.

• Reduce debugging information: When a Web server experiences an error, make sure details of the error aren't displayed to the user, since this information could help a hacker commit malicious activity and gain the information he or she needs to successfully attack the server.

• Test Web applications: Test Web applications and check Web developers work by sending data through the Web server; if the result is an error message, the application might be susceptible to an SQL injection attack.

  Introduction: Web application security
  How to stop buffer-overflow attacks
  Prevent cross-site scripting hacks 
  Stopping SQL injection hack attacks
  Distributed denial-of-service protection

This was last published in January 2010

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)