- SQL
injection occur when carefully crafted text is typed into input text boxes on
web pages and web forms. The text is designed to manipulate SQL syntax and push
in code which can directly run on the internal SQL database server. This
malicious input can have the potential to get the database to output
confidential data, to delete critical information, or to manipulate critical
data.
The root cause of an SQL injection attack is letting the user input to directly be executed.
This goes against the tenets of secure input handling which requires all user input to be- - Validated against a finite, known range of expected characters
- Sanitized and escaped – the apostrophe character is notorious for being at the heart of SQL injections, if there is a reason to accept this character as input (for instance if a person’s name is O’Hara), then it needs to be converted to O'Hara where ' is the HTML code for the apostrophe (single quotation mark).
- Limited to a reasonable maximum size
Also, error-handling should be robust and default cases should be handled to help weed out unexpected input.
Output should be monitored as well, and parsed through and checked by routines before directly displaying it the user.
The database should have triggers in place which alert and/or stop a query which is attempting to
- access sensitive data or large amounts of data
- manipulating unauthorized data
- delete data or complete tables
SQL injections continue to be a common security risk as-
- all websites have databases and webpages, but not every developer codes with security in mind
- websites keep growing in size and complexity, and the possibility of an unknown and unmanaged webform (which accepts user input) which hasn’t been monitored and is still tied to the database, is high.
- Development projects are rolled out under high pressure and tight deadlines – leading to negligence and oversights in secure coding practices
- Teams rarely test robustly before publishing the websites and going “live”
- Legacy systems which were created before security became a necessity still exist
SQL servers may not always be patched on time