8 Ways to Prevent SQL Injection

P { margin-bottom: 0.08in; direction: ltr; color: rgb(0, 0, 0); widows: 2; orphans: 2; }A:link { color: rgb(5, 99, 193); }

http://www.ehacking.net/2013/11/8-ways-to-prevent-sql-injection.html

SQL injection targets the back-end
database, allowing hackers to create, delete, modify or read
sensitive data. The consequences of such a breach are varied,
depending on the motivation behind the attack. Regardless of whether
a hacker is attempting to expose sensitive data or on a mission to
cause serious consequences, enterprises want to avoid being
vulnerable to SQL injection. 




SQL injection is one of the most
common methods used by hackers to gain unauthorized access to
sensitive information. Even major brands such as Sony Pictures,
Microsoft, Yahoo, LinkedIn—even the CIA—have been breached using
SQL injection. Here are a few tips for protecting against this
vulnerability.



  1. Escaping and Filtering



Areas of user input, such as login
screens and form fields, are often vulnerable to SQL injection. One
way to protect against it is to properly escape and filter user input
and special characters.



  1. Avoid Displaying Syntax
    Errors and Other Database Information to Users



Error notifications often reveal
sensitive database information to users. Avoiding the display of
syntax errors and similar messaging protects the information stored
in the database from outside or unauthorized access.



  1. Limit Database Privileges



Create
numerous user accounts with varying levels of database access,
limiting user types to only the access necessary for
functionality—not more. Giving users access to areas of a database
they don’t require broadens the playing field for hackers in the
event of an attack.



  1. Avoid Executing Multiple
    Queries in One Statement



Each statement should execute a
single query. Allowing multiple executions in a single statement
leaves the door open for injections, adding complexity to the
validation process.



  1. Secure Input Validations



Input validation techniques which
authenticate user input against pre-defined rules helps prevent the
injection of unauthorized snippets. Validate input data for length,
type, and syntax, as well as against your business rules.



  1. Never Trust User Input



In addition to escaping and
filtering, you should maintain a high level of distrust of any
user-entered data. Not because you think all your users have
malicious intent, but because you don’t know that malicious users
aren’t masquerading as innocent users. Don’t allow inappropriate
characters to be input for a phone number, for instance, or
non-practical input for email addresses or user names. Sanitizing
based on practical rules provides maximum protection against SQL
injection.



  1. Eliminate Unnecessary
    Database Functionality



Maintaining the existence of
database functions that you don’t really need only broadens
opportunities for SQL injection. Minimize
your database usage to what you need to run your applications
adequately.



  1. Use a Web Application
    Firewall



Web application firewalls can be
useful tools for detecting and blocking attempts to push SQL through
web channels. Blocking SQL attempts at the firewall level even
eliminates the limited hacks that can break through and access only a
portion of your database if you’re using limited database
privileges based on user context.



These eight tactics will help
prevent your applications, and your users, from falling victim to
potentially devastating SQL injection attacks. There are dozens of
rules for maximizing your protection against SQL injection, but these
eight rules serve as foundational principles that will help ensure
security at the most basic application level.



Author Bio



Fergal
Glynn is the Director of Product Marketing at Veracode, an
award-winning application security company specializing in
how to prevent a SQL injection
and other security breaches with effective risk assessment tools








Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

How to Exploit Heartbleed using Metasploit in Kali Linux

Heartbleed vulnerability (registered as CVE-2014-0160) is a security bug present in the older version of OpenSSL cryptographic library. OpenSSL is a cryptographic toolkit used...

How to Install Parrot Security OS on VirtualBox in 2020

Parrot Security OS is a free GNU/LINUX distribution, released on 10th April 2013. It is a mixture of Kali Linux and Frozenbox OS, aims to...

How to Install Kali Linux on VirtualBox [Windows Host] in 2020

Kali Linux is a Debian based Linux distribution, released on the 13th March 2013 as a complete rebuild of BackTrack Linux. It is one of...

Acunetix v13 Release Introduces Groundbreaking Innovations

The newest release of the Acunetix Web Vulnerability Scanner further improves performance and premieres best-of-breed technologies London, United Kingdom – February 5, 2019 – Acunetix,...