Table of Contents
What is SQL Injection?
Why SQL Injection is Important
SQL Injections have been at the top of every OWASP Top 10 list for over 10 years. Many web applications use databases for efficient storage and retrieval of data. This means that databases contain a lot of important and sensitive data, such as usernames, passwords, dates of birth, Social Security numbers, and more.
Web applications interact with the database layer using SQL queries. Typically, these queries are performed using inputs in the web page — like a search query. However, a poorly designed web application may accept any type of SQL query in an input box intended only to accept a specific type of data, for example, the user’s first name. Attackers exploit this flaw by entering SQL queries in these input boxes to either retrieve or corrupt data stored in the database.
What You Can Do
There are a variety of techniques to limit the ability of attackers to directly steal or corrupt your data. Most techniques are intended to minimize the ability of end-users to supply data or commands that can be interpreted by your web server or database. It is important to note that this input can come from a variety of sources including posted form submissions, URL arguments, and browser cookies.
Some of the more common SQL injection prevention techniques are listed below.
- Sanitization. The most common protection is to sanitize all user-supplied data should be sanitized in order to remove character strings that could be executed as SQL commands by the interpreter or passed directly to a SQL database. Sanitization generally involves replacing executing commands found within user data with alternative, non-executable characters.
- Filtering and validation. All user-supplied data should be validated by limiting the format, length, and other attributes of permissible inputs. Occurrences of SQL commands or other malicious code should be filtered.
- Avoid unsecured URL parameters. Avoid using URL arguments such as in an object relational model (ORM) that trigger database operations. Instead, use a secure API for all database access.
- Limiting the scope of SQL commands. Use LIMIT commands within SQL operations to minimize the disclosure of data in case a SQL injection reaches your database.
Although coding techniques like the ones listed above are important, careful coding does not guarantee protection. Third-party software libraries, subsequent code changes by other developers, and newly discovered obfuscation techniques can leave your website exposed to SQL injection attacks. Adding an automated layer of protection with a Web Application Firewall can ensure that your websites and web applications remain protected.