Defending Against SQL Hackers

by Andrew S
The article talked about preventing SQL injection attacks.  Basically, an SQL injection attack targets interactive web applications that deal with database services.  As a result, an attacker may provide malicious or inaccurate information in place of what the user inputs.  Thus, an attacker could obtain and modify sensitive information.  The solution that the author comes up with is to use runtime validation in a procedure to call and check the SQL statements that the user inputs.  There is an algorithm that the author uses that verifies that the user inputs are consistent and that there are no discrepancies in their inputs.  In order to reduce the runtime analysis of the program, the program only scans portions of the queries instead of the entire query to improve efficiency and reduce execution time.  SQL injection is a common technique employed by hackers for attacking databases and the author makes solid points on how to prevent these attacks.

I thought the article is relatable to what we learned in class because since we are learning about SQL, it is important to know the security side of it as well.  SQLs play an important row in database management and can sometimes hold valuable and sensitive information.  As a result, there needs to be some sort of protection against malicious or inaccurate inputs from an outside source.  The author does a great job describing the vulnerabilities of SQL and ways in which to prevent attacks.

The article appealed to me because since my emphasis is on security, the idea of preventions from attacks intrigues me.  The article explains in detail about the vulnerabilities of SQL and then goes on to explain how to fix these problems.  When first reading the article, I thought that using runtime validation would take too long to use on all the queries.  But the author uses an algorithm that only tests some of the queries instead of all of them, reducing the execution time of the program.  The article was very informative and was able to shed some light on SQL and the security measures for it.

Wei, K. (2006, April). Preventing SQL Injection Attacks in Stored Procedures. IEEEConference Publications

One thought on “Defending Against SQL Hackers

  • October 28, 2012 at 10:06 pm

    When Sony’s PSN servers went down last year, it was because a hacker used SQL injection to gain access to their servers. It is amazing how the right SQL injections can give a hacker complete access to one’s servers. I believe run-time validation is one of the many defenses against an SQL injection and it doesn’t seem like it would have helped Sony last year.

Comments are closed.