Secure your web from SQL Injections

Last couple of months, I came across two incidents of SQL injections due to most common errors by IT professionals.

  1. How To Hack A Brazilian Power Company
  2. SQL Injection discovered on Wall Street Journal
Both incidents are stunning and they were exploited by hackers with minimal effort. Little care during web application development could avoid both incidents.
If you are IT professional , you must know about SQL injections’ cause and remedy.
wikipedia provides detailed definition :

“SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.”

Most common SQL injections are:

1. Incorrectly filtered escape characters
  • Most common is Quote or Special character handling

2. Incorrect type handling

  • Brazil incident fall into this category

3. Vulnerabilities inside the database server

  • WSJ incident fall into this category : BAD password!

4. Blind SQL injection

  • Result of this attack is not visible to hacker but it can help to exploit more SQL injections.
  • conditional responses
  • conditional errors
  • execute long running queries

You can avoid these catastrophic SQL injections by little care during the web application coding such as using bind variables, verify input values and take care of escaping characters. Database level security such as password and access control also help to avoid SQL injections.

I hope this will save you from future SQL injection 🙂