What You Need To Know About SQL Injection

Monday, June 2nd, 2008

Categories: Web Development

RSS Comment Feed

Trackback

AddThis Social Bookmark Button

Having seeing the effects of an SQL Injection attack, I thought I’d be able to tackle some tips on preventing SQL Injections in the first place.

All it takes is one vulnerability to affect your entire software application. If the vulnerability is general enough, you could be the target of scripts that scour the web autonomously attempting to inject websites. Let’s get right into some tips:

Validate Anything That Comes In Via Querystring

Although you may expect your query string to do something simple in your application, it can provide hackers with a intrusion point. Example:

http://www.pat-burt.com/somePage.php?error=1

I use the querystring to provide me with a 1 or a 0. But don’t expect hackers to only provide you with a 1 or a 0. Let’s say you’re using the result of the value “error” in your SQL statement:

UPDATE userStatus SET error=1 WHERE userID=248

You can see how the hacker can change the error value to something malicious directly in the address bar to manipulate your SQL statement to their advantage in the following example. It wouldn’t take much to change the query string to produce the following SQL statement:

UPDATE userStatus SET error=1; UPDATE SET password=’HACKED’ WHERE userID=248

What you’d need to do is strip characters or convert the query string’s result to an integer (in this case). If you’re expecting either of those values, check for either of those values before anything goes into your query string.

Validate Anything Posted to a Form

Info posted from a form should also be validated. Keep in mind that forms can be posted to without even viewing the actual form. That means your form validation needs to go beyond using HTML to put a limit on the number of characters in your text field. Using the programming language of your choice, you should validate input based on:

  • Length
  • Illegal characters
  • Type of input (integers, phone numbers, text)

Hope that helps. :)

Bookmark this blog using any bookmark manager!
Subscribe to Pat-Burt.com via RSS

Error. Page cannot be displayed. Please contact your service provider for more details. (2)



Related Posts


Subscribe to this Post

Comments are closed.