Technical professionals responsible for the security of publicly accessible Internet servers often focus (justifiably) on maintaining the operating system and server software that they purchase from vendors. Indeed, these packages often contain significant security vulnerabilities and it is incumbent upon every security administrator to ensure that their servers are patched with the most recent vendor security patches and hotfixes.
However, that's not the extent of the administrator's responsibilities. As you probably know, the custom code developed within your organization to power dynamic Web site functionality has the potential to open significant vulnerabilities in your Web server. These flaws are especially dangerous when you're using Web applications to provide an interface to a back-end database. One particular type of attack against database-driven applications is the SQL injection. In this attack, the intruder manipulates a site's Web-based interfaces to force the database to execute undesirable SQL code.
SQL injection attacks are best learned through example. Imagine a simple Web site set up by a package delivery company to provide delivery status information to anyone who knows the tracking number associated with a particular package. The application may simply ask the user for the tracking number and then look it up in a database table using the following SQL code:
Where @tracking is a variable passed in from the Web application. Under normal circumstances, this application may function perfectly normally. For example, if a user enters the tracking number 1A2123ZC2, the corresponding query would be:
That ideal situation makes one flawed assumption -- that the user will only enter a valid tracking number. Malicious individuals are not likely to be so cooperative. Suppose that the user instead enters the string shown below in the tracking number field:
Which will have the unintended consequence of retrieving all of the tracking information stored in the database. Now assume that we have an even more malicious user who enters the following string:
Which would have the clearly undesirable result of deleting all of the tracking information from the database!
There are several steps that you can take to reduce the possibility of a SQL injection attack against your database:
If you take the time to implement these simple steps, you'll be well on your way to securing your Web/database interaction.
About the Author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.