This blog entry will look at SQL injection attacks and what you can do as website owner/developer to mitigate this type of attack.
What is a SQL injection Attack?
Too often developers/system administrators focus only on Operating System and Web Server application as attack vectors and ignore the code that a website uses. With more and more sites being dynamic and database driven, SQL injection attacks are on the rise. In a successful SQL injection attack, an attacker can compromise the data stored in the database, deface a website or execute remote code.
A SQL injection attack takes advantage of poor data sanitation during user input. When user data input is not validated for syntax, SQL code can be injected to a query and thereby compromising the system/website. This is illustrated on Microsoft’s website.
In the example, when user input is not sanitized during a logon page, a malicious user can input SQL commands such as “‘ Or 1=1 –”. As described on the MSDN website, by injecting the above code a malicious user can bypass the authentication mechanism.
How to mitigate SQL Injection attacks
SQL injection attacks can be mitigated by using better coding techniques that utilize input validation controls. In the above example, a malicious user was able to manipulate the input parameter by using a single quote. To mitigate this type of attack you can escape the single quotes by using a replace function to change ‘ to “. Additionally, limit the permissions granted to the database user the web application is running under.
Customers that use third party content management systems should endeavour to upgrade to the latest build and be on the lookout for any security hotfixes/updates from the vendor.
- Stop SQL Injection Attacks Before They Stop You
- Microsoft Security Advisory 954462 Rise in SQL Injection Attacks Exploiting Unverified User Data Input
- Injection Protection
- Preventing SQL Injections in ASP
- Coding techniques for protecting against SQL injection
- Filtering SQL injection from Classic ASP
- How To: Protect From SQL Injection in ASP.NET
- SQL Injection Attack
SoftCom Technology Consulting Inc.
- Microsoft SQL 2008 Beta now available!
- Microsoft SQL 2008 Beta
- myhosting.com offers a great range of Microsoft SQL Hosting Plans including a Free Starter Plan!
- Database Hosting: MySQL, Microsoft SQL and PostgreSQL
- How to activate your Microsoft® SQL Server 2008 Database using your myhosting.com Account