Share

From this page you can share Protecting Your Application from SQL Injection. to a social bookmarking site or email a link to the page.
Social WebE-mail
Enter multiple addresses on separate lines or separate them with commas.
Protecting Your Application from SQL Injection.
(Your Name) has forwarded a page to you from Ajaxonomy
(Your Name) thought you would like to see this page from the Ajaxonomy web site.

Protecting Your Application from SQL Injection.

As you probably know one common practice in server side coding is to pass variables directly into a query. This is perhaps most prevalent in PHP development (I love PHP, but most developers just pass the values right into the query). This leaves applications wide open to SQL injection attacks. This problem is only compounded with an Ajax application as crackers can simply look at your JavaScript to find out what URLs to use to attack. This can get worse as you may not even realize that you have been attacked if somebody just uses SQL injection to steal data (something that is getting much more common).

So, how are we to protect ourselves from such attacks? The first rule is to never trust any information that is sent from the user. If the value is supposed to be a number check to make sure it is a number or if it is supposed to be under a certain number of characters make sure it is under that number of characters. When checking user data never rely on client side checks as these can easily be bypassed.

The next thing you should do is change your server error settings. Often detailed error pages are used to gain information that helps an attacker get into your system. Change the error screens to be very generic, besides users don't need to know any more information regarding the error.

Once you fix the error screens and validate data you can use some string manipulation to convert certain characters (such as the semicolon, quotation marks and single quote) to web friendly characters (This is somewhat less important in the Java world as a JDBC connection handles much of these security issues automatically). One trick I've used is to convert a string to be URL encoded thus removing bad characters as well as all spaces. Of course you will need to remember to convert the string back to be displayed properly.

So, the main things to remember when protecting your application from SQL Injection are:

  1. Never trust data sent from your users
  2. Don't give away too much information in your error messages
  3. Check and clean the data of characters that are potentially threatening

For more information on protecting against SQL injection attacks click here.

I would love to hear how you are securing your applications from this huge threat, so leave comments on any tips or struggles that you have had.