Categories: Web Development
Having seeing the effects of an SQL Injection attack, I thought I’d be able to tackle some tips on preventing SQL Injections in the first place.
All it takes is one vulnerability to affect your entire software application. If the vulnerability is general enough, you could be the target of scripts that scour the web autonomously attempting to inject websites. Let’s get right into some tips:
Validate Anything That Comes In Via Querystring
Although you may expect your query string to do something simple in your application, it can provide hackers with a intrusion point. Example:
I use the querystring to provide me with a 1 or a 0. But don’t expect hackers to only provide you with a 1 or a 0. Let’s say you’re using the result of the value “error” in your SQL statement:
UPDATE userStatus SET error=1 WHERE userID=248
You can see how the hacker can change the error value to something malicious directly in the address bar to manipulate your SQL statement to their advantage in the following example. It wouldn’t take much to change the query string to produce the following SQL statement:
UPDATE userStatus SET error=1; UPDATE SET password=’HACKED’ WHERE userID=248
What you’d need to do is strip characters or convert the query string’s result to an integer (in this case). If you’re expecting either of those values, check for either of those values before anything goes into your query string.
Validate Anything Posted to a Form
Info posted from a form should also be validated. Keep in mind that forms can be posted to without even viewing the actual form. That means your form validation needs to go beyond using HTML to put a limit on the number of characters in your text field. Using the programming language of your choice, you should validate input based on:
- Illegal characters
- Type of input (integers, phone numbers, text)
Hope that helps.