February 18, 2003 at 2:24 am
Could someone please point me to a good article explaining what SQL Injection is, and how to best prevent it.
I've just heard of, and seen some examples of this here at this site today, and I'd like to be aware of it while I'm coding.
February 18, 2003 at 2:26 am
Does this help?......
How can I protect against SQL Injection attacks?
Answer: If your web servers happen to have a database backend (i.e. nearly all servers in commercial environments), SQL Injection attacks are malicious attempts aimed at bypassing the security mechanisms of the database. To do this, SQL Injection attacks utilize the web server to modify the content in the database.
Formally, SQL Injection is a technique that enables an attacker to execute unauthorized SQL commands by taking advantage of unsanitized input opportunities in Web applications that build dynamic SQL queries.
For example, the most common form of SQL injection is bypassing a login screen. Typically, the SQL would look like this
"SELECT * FROM logins WHERE uid = '[form input here]'"
The script would then check to see if there was any result. If the following is entered into the form "'' OR '1'='1'", then the SQL becomes:
"SELECT * FROM logins WHERE uid = '' OR '1'='1'",
That entry will always return a result and allow an attacker access to that system.
While the above example is a little hard to create keywords which will avert this attack, most SQL Injection attacks are much simpler to catch. A lot of attacks utilize default-stored procedures that have poor account security. Many stored procedures allow use by the 'public' account (SQL2000) and this is akin to allowing the 'guest' user to have access to something on a server.
There are five simple rules to remember in relation to averting SQL Injection attacks:
Protect the entry point first – the web server.
Never pass unchecked user-input to database-queries.
Validate and sanitize every user variable passed to the database.
Check if the given input has the expected data type.
Quote user input that is passed to the database.
For those with Microsoft web servers, you can screen out potential SQL injection threats by screening out potential attack requests before they are processed by IIS. SecureIIS Web Server Protection from eEye Digital enables administrators to properly define filters that can screen for unwanted commands and requests. For example, if part of the form input is a numeric field then do NOT allow any other characters aside from numbers to come through that field. If it's a username then obviously most characters that are not alpha or numeric need not be allowed either.
Best practices in managing a secure SQL server dictate removing any unnecessary stored procedures and locking down the ACL's on the remaining procedures. Compile a list of the remaining procedures and add those keywords to SecureIIS. DBA (Database Administrators) must do all they can to remove unneeded functionality. All unused stored procedures should be removed and permissions must be reviewed on the ones remaining. Some of the most commonly used stored procedures (such as xp_cmdShell) to act as a booby trap. SecureIIS uses these booby-trapped keywords to alert administrators when someone is actively attacking a web application and looking for a flaw.
February 24, 2003 at 3:26 pm
Here's a link for you,
http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3
Thanks
Phill Carter
--------------------
Colt 45 - the original point and click interface
--------------------
Colt 45 - the original point and click interface
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply