1 (866) 289-5091
This blog entry will look at SQL injection attacks and what you can do as website owner/developer to mitigate this type of attack.
What is a SQL injection Attack?
Too often developers/system administrators focus only on Operating System and Web Server application as attack vectors and ignore the code that a website uses. With more and more sites being dynamic and database driven, SQL injection attacks are on the rise. In a successful SQL injection attack, an attacker can compromise the data stored in the database, deface a website or execute remote code.
A SQL injection attack takes advantage of poor data sanitation during user input. When user data input is not validated for syntax, SQL code can be injected to a query and thereby compromising the system/website. This is illustrated on Microsoft’s website.
In the example, when user input is not sanitized during a logon page, a malicious user can input SQL commands such as “‘ Or 1=1 –”. As described on the MSDN website, by injecting the above code a malicious user can bypass the authentication mechanism.
How to mitigate SQL Injection attacks
SQL injection attacks can be mitigated by using better coding techniques that utilize input validation controls. In the above example, a malicious user was able to manipulate the input parameter by using a single quote. To mitigate this type of attack you can escape the single quotes by using a replace function to change ‘ to “. Additionally, limit the permissions granted to the database user the web application is running under.
Customers that use third party content management systems should endeavour to upgrade to the latest build and be on the lookout for any security hotfixes/updates from the vendor.
More information:
- Stop SQL Injection Attacks Before They Stop You
- Microsoft Security Advisory 954462 Rise in SQL Injection Attacks Exploiting Unverified User Data Input
- Injection Protection
- Preventing SQL Injections in ASP
- Coding techniques for protecting against SQL injection
- Filtering SQL injection from Classic ASP
- How To: Protect From SQL Injection in ASP.NET
- SQL Injection Attack
Thanks,
Darish R.
Operations Manager
SoftCom Technology Consulting Inc.
Related posts:
{ 5 comments… read them below or add one }
Very very informative. Keep up the good work…
I always ignore the code, and I am probably vulnerable to these kinds of attacks. Will try to do better in the future!
This is definitely frightening. I didn’t know my data was so at risk because of SQL attacks.
Never knew someone could bypass the authorization mechanism so easily. Frightening is the word!
Thanks for the tips of how to mitigate an SQL injection attack on Microsoft. It amazes me what a difference there is between ‘ and “ when you’re coding.