Preventing SQL Injection Attacks Essential Measures

Preventive Measures Against SQL Injection Attacks

An SQL injection attack occurs by having an attacker inject a string input into the application; these changes or manipulate the SQL statement to the attacker’s advantage, as described by Elmasri & Navathe (2015). They indicate that an SQL injection attack inflicts damage to the database management system. Examples of ways damage could be done are unauthorized manipulation of data, retrieval of sensitive data, or execution of operating system-level commands.

To prevent SQL Injection attacks, Elmasri & Navathe (2015) describe the use of parameter statements or bind variables. Instead of embedding the user input in the SQL statement, one passes the string to a variable bound to a parameter. Once the value is bound to a parameter, it can be checked to be sure it is valid input. For example, make sure a zip code is numeric and a certain length. If it does not validate, return an error. Each variable should be checked to be sure it is valid before passing it to the database management to execute the SQL.

The easiest way to avert an SQL injection can be an application source code review. Some companies, such as banks, do not allow the use of SQL injection testing tools, so the only way to find vulnerabilities is to examine the code, as described by Clarke-Salt (2009).

The two primary methods of analyzing source code for vulnerabilities are static analysis and dynamic code analysis.

Static code analysis goes through the process of analyzing the application source code without executing the code. Dynamic code analysis performs the analysis during the execution or runtime of the application code. The author points out that many forms of dynamic string building and execution are evident in a quick code review. It is still being determined whether the data used in the queries is sourced from the users' browser or has been correctly validated or encoded before being submitted to the user.

References

Clarke-Salt, J. (2009). SQL Injection Attacks and Defense. : Elsevier Science. Retrieved from http://www.ebrary.com

Elmasri, R., Navathe, S. B. (2015-06-01). Fundamentals of Database Systems, 7th Edition VitalSource Bookshelf version. Retrieved from https://bookshelf.vitalsource.com/books/9781323139899

Posts in this Series