Wednesday, 8 February 2012

SQL Injection Countermeasures


SQL injection is kinda complex vulnerability and usually applying a fix will differ on which type of application you are developing. By the way instead of its complexity and different types of injection methods SQL injection is one of the easiest to counter. Following are some measures that can be used against SQL injection attack.


1. As told earlier SQL injection attacks occurs due to non-sanitized input. So our first step would be sanitizing input. At developer level build application which explicitly escapes single quotes and apostrophe, do not validate input of expression type for example, 1 + 1, x+ y etc. By sanitizing input by above method you'll be able to stop SQL injection since application will not accept malicious input.

2. The second solution at developer level is to use Application Programming Interface (API's) which disallow SQL injection. Today nearly every web application development tool has an API which handles SQL queries all by its own, its better to use them because they not only reduce overall development overhead but also provide protection against SQL injection.

3. At system level allow application to run at possible lower privileges, with which it can run flawlessly. There's no need to grant application more privileges than required. It might take little time to apply this but doing so will disallow hacker to retrieve sensitive data from your database since privileges will be limited.

4. Lastly remove unnecessary database packages from your system since they don't only take extra memory and disk space but if any of them is vulnerable your database will become vulnerable too.

Depending upon what kind of application you are developing some or more modifications may need while development to avoid injection. But at practical level above countermeasures can surely be applied to any kind of web application to ensure protection against SQL injection.

No comments: