Protecting Your Application from SQL Injection.

As you probably know one common practice in server side coding is to pass variables directly into a query. This is perhaps most prevalent in PHP development (I love PHP, but most developers just pass the values right into the query). This leaves applications wide open to SQL injection attacks. This problem is only compounded with an Ajax application as crackers can simply look at your JavaScript to find out what URLs to use to attack. This can get worse as you may not even realize that you have been attacked if somebody just uses SQL injection to steal data (something that is getting much more common).

So, how are we to protect ourselves from such attacks? The first rule is to never trust any information that is sent from the user. If the value is supposed to be a number check to make sure it is a number or if it is supposed to be under a certain number of characters make sure it is under that number of characters. When checking user data never rely on client side checks as these can easily be bypassed.

The next thing you should do is change your server error settings. Often detailed error pages are used to gain information that helps an attacker get into your system. Change the error screens to be very generic, besides users don't need to know any more information regarding the error.

Once you fix the error screens and validate data you can use some string manipulation to convert certain characters (such as the semicolon, quotation marks and single quote) to web friendly characters (This is somewhat less important in the Java world as a JDBC connection handles much of these security issues automatically). One trick I've used is to convert a string to be URL encoded thus removing bad characters as well as all spaces. Of course you will need to remember to convert the string back to be displayed properly.

So, the main things to remember when protecting your application from SQL Injection are:

  1. Never trust data sent from your users
  2. Don't give away too much information in your error messages
  3. Check and clean the data of characters that are potentially threatening

For more information on protecting against SQL injection attacks click here.

I would love to hear how you are securing your applications from this huge threat, so leave comments on any tips or struggles that you have had.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <pre> <div> <blockquote> <object> <embed> <img> <param>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Copy the characters (respecting upper/lower case) from the image.