SQL injection is one of the newer attacks aimed at Web application security in the cybercrime world. It is targeted at your database, which stores sensitive information of your employees or customers. This type of attack exploits vulnerabilities in your application to access your database by manipulating the SQL queries in your application via the input boxes of your Web form.
A lot has already been written on how SQL injection attacks are done, so I am not going to go into that. I have some links at the bottom for you to get more information on how this attack works.
What I want to do is take a look at 10 steps you can take to prevent applications from being vulnerable to this type of attack.
Input validation
Let's explore input validation further. Usually, any Web application has some input boxes to collect data from the user. When a Web form is submitted, the input values are submitted to the application running at the server. The application should validate the input before processing it. Certain steps can be taken to protect the application from malicious input.
Authentication input: Authentication being the entry point of the system is a more sensitive area, and the likelihood of an attacker trying SQL injection here is extremely high. Moreover, if authentication is compromised, then the attacker has unauthorized entry into your system. Some of the techniques we can implement here include the following:
Other form field input: Let's take a look at some of the common form fields that are usually available before authentication and what can you do to prevent SQL injection attacks in those fields.
Registration page: This page usually consists of multiple fields. Apply the appropriate validation techniques for different fields based on the sample code below.
To continue reading for free, register below or login
To read more you must become a member of SearchSoftwareQuality.com
>Feedback and suggestions: If this is stored in the database, then it should be stored as a CLOB. Using PreparedStatement and storing it as a CLOB will protect it from most types of attacks.
Contact Us: If there is no reporting or tracking requirement for this information, then architects should avoid storing this information in the database. Accept the form fields and send them as an e-mail. That gives you one less area to protect from SQL injection.
Input validation techniques
Ideally, architects can define in the design phase what type of input is expected (alphabets, numeric, alphanumeric) and what characters are allowed for that type of input. Let's take a look at an example with sample code in Java.
Username validation -- The following rules will apply:
Sample code:
For numeric input, convert it to integer as well before appending into your SQL query. If it throws a NumberFormatException, then it is not a valid input.
It might get a little tedious to define rules for all the individual fields. In such scenarios, architects can divide the fields into multiple categories, such as single word, multiple words, multiple words with punctuations, e-mail address, numeric input, etc., and define rules for those categories.
As you can see, by taking certain measures, you can avoid common vulnerabilities and create more secure Web applications. After all, every step, however small, is a step forward in securing your application.
More information:
List of SQL injection attacks by example
List of escape characters
-------------------------------
About the author: Anurag Agarwal, CISSP, works for a leading software solutions provider where he addresses different aspects of application security. You may e-mail him at anurag.agarwal@yahoo.com.
