Subscribe by Email

Wednesday, February 15, 2012

What are the tips needed by web application against SQL attacks?

SQL injection attacks are one of the top 10 security vulnerabilities for web sites and applications as it has been declared by the open source web security. Being such a great threat, few measures have been designed to curb this SQL injection attack thing.

SQL injection attacks are so very common these days. It is probably due to two main factors:

- The prevalence of the vulnerabilities related to SQL injection attacks are significant.
- The target of the SQL injection attacks i.e., web site’s or web application’s data base appears very attractive and useful to the attackers since it contains all the critical as well as sensitive data of the site or the application.

Here we are going to discuss those SQL injection measures.
- First thing to avoid the SQL injection attacks is to understand how exactly these attacks occur.
- An SQL injection attack occurs whenever a query is created by the dynamic data base of the web site.
- These queries contain nothing but the input entered by the user.
- When you know what actually is making it easy for the attackers to carry out an SQL injection attack on a web site or web application, it seems very easy to avoid the SQL injection attacks.

There are 2 ways for avoiding the attacks which have been discussed below:

1. Dynamic queries should not be written. Some alternative for dynamic queries can be used.
2. The input supplied by the end user for malicious SQL statements. Queries containing such statements should be prevented from entering in to the data base as it will affect the code logic used in the query.

The above two ways can be used with any of the available programming languages and also with data bases of any type.

There are some primary defense techniques which you can follow to avoid SQL injection attacks. They have been stated below:

Defense 1:
- Escaping the input supplied by the user.
- Here the query statements are already prepared by the web site or web application developer.
- These queries are very easy to understand and also do not require much efforts like the dynamic queries.
- This method is implemented as follows.
- The developer is first asked to define the code for all the SQL statements.
- The defined code is then passed in to the respective parameter later when required.
- This technique grants the data base the ability to distinguish between the data and the code irrespective of what data the user has entered.

Defense 2:
- The web sites and web applications can make use of pre- designed queries or parametric queries.
- This approach is used when the other two fail.
- But, this is not much strong as the other two approaches.

Defense 3:
- The web sites and web applications can make use of pre- designed procedures.
- They are implemented in a way similar to that of the prepared statements.

In addition to these primary defense techniques, there are some additional defense measures which can be followed as well if you are not satisfied with the security offered by the primary defense techniques:


- Provide the least valued privileges.
- The web site or application developer can carry out a white list check for validation of the input queries. This proves to be effective since the non validated parameter which when appended to a query generated by the user, allows the attacker to inject the malicious SQL statements in to the data base of that particular web site or application. This method of injecting SQL statements in to the data base is used quite often by the attackers.

No comments:

Facebook activity