by Han C
No, I’m not talking about hypodermic needles. This article explains the mystery behind SQL injections and offers a few suggestions on how you can protect yourself from an injection attack. SQL injections are extremely common and very easy to exploit. Yes, I know. Your job as a database administrator just became that much sweeter, right? Fear not because the best countermeasures are simply to identify vulnerabilities yourself and test the safety of your system in a controlled environment first. SQL injections occur when malicious code is embedded into the content of a parameter. In other words, a attacker can attempt to trick the system into forwarding a query to the database in an effort to gain more information. The article explains that these types of attacks are quite simple to execute and even offers a sample or two. One reason that SQL injections are so prominent is because more tools are being developed everyday which can be used by attackers to scan for such vulnerabilities. The article explains that one of the easiest ways to prevent this from happening is to avoid accessing external interpreters whenever possible. Another important thing to remember is to ensure that web applications only run under the necessary privileges. Any user commands should be rigorously checked and rechecked against for unexpected outcomes. The bottom of the article offers a code reviewing guide and an SQL injection prevention cheat sheet.
Any thoughts after reading this? Sure! Database administrators have a lot of work in regards to testing system functionality, performance, and security. I thought the article was good at explaining the different types of ways a SQL injection could lead to other types of attacks. The idea that attackers can gain access to escalated privileges is a little scary especially if you consider the possibilities an attack tree could spread. I felt the article offered some good suggestions for preventing SQL injections and some black-box testing examples to help us get started.