What is SQL Injection (SQLi) and How we can Fix It?

SQL Injection (SQLi)

SQL Injection refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server. SQL Injection can provides an attacker with unauthorized access to sensitive data includes customer data, personally identifiable data, business data intellectual property rights related data  which is extremely confidential for any person whether he is a businessman, a student , a service provider or let say an entrepreneur.

An SQL Injection needs just two conditions to exist – a relational database that uses SQL, and a user controllable input which is directly used in an SQL query. In the example below, it shall be assumed that the attacker’s goal is to exfiltrate data from a database by exploiting an SQL Injection vulnerability present in a web application. Errors are very useful to developers during development, but if enabled on a live site, they can reveal a lot of information to an attacker. SQL errors tend to be descriptive to the point where it is possible for an attacker to obtain information about the structure of the database, and in some cases, even to enumerate an entire database just through extracting information from error messages – this technique is referred to as error-based SQL Injection.

SQL Injection can be fixed by following these steps

Do not trust blindly

Simply put, any input into the SQL engine should be validated – which means organizations should build and enforce secure coding guidelines that requires SQL be constructed using parameterized queries, a coding-intensive technique that prevents SQL injection attacks by separating executable code from inputted data

Create Error Messages with Care

Attackers often use poorly crafted error messages to figure out how to better attack a database. Developers and DBAs need to consider what information is returned via an error, when there is unexpected input. For example, if a logon error comes back with “user names cannot contain numbers,” that may give an attacker insight on how to leverage pilfered user account information.

Keep Databases and Applications Fully Patched 

It should go without saying that security patches should be regularly applied. However, patching is one of the most overlooked security techniques. That may be due to poor management, lack of vendor notifications or a combination of these and other factors. For many, the only solution is to implement a patch management system that removes manual tasks, which often fall through the cracks.

Implement Network Monitoring Tools 

Monitoring access activity at the application level can quickly give an indication that an attack is occurring. Simple clues, such as an increase in errors or an increase in activity, can be used to warn administrators of an attack in progress.

Implement Filtering Tools

Real time security applications can work with monitoring systems to block attacks as they occur, by filtering the suspect traffic and denying access to the database.

Leave a Reply