by Tseng H. K.
The article I read this week is “How to Prevent a SQL Injection Attack” by Tsveti Markova. Since many of us mentioned SQL injection on their post this and last week, I decided to look for ways to prevent/reduce damages from SQL injection attack. I choose this article because most of other articles are coding basis it was hard to understand. Since we just started to learn SQL quries, I wanted to look for more basic prevention principles that apply any programming language without knowing high level coding skills.
Before we begin to learn prevention, we need to know what exactly SQL injection is. SQL injection is a type of injection/method to attack web application, which attackers provide SQL code to user input box to gain unlimited access to your web application. The author suggests number of preventions on the article, I picked few of them that are most suitable to us.
1. Store database crendentials in separate file- This way, even if attackers manage to break into your server, he/she can’t benefit much.
2. Use principle of least privilege- For example, attackers grant user access to a table rather than the whole database, it will reduce damage to your data.
3. Disable shells – Shell is the ultimate access to your database. Therefore, shell is what attackers want to get. So we better disable it, only server master can have it.
4. Disable any other DB functionality you don’t need- Many of DB functionalities and tools are not risk-free. Therefore, those can be potential door that attacker might sneak in.
There are few more methods that author suggest, but I picked these four because they are relatively easy to apply base on what we learned so far. If you want to find out more prevention method you can reference author’s original post.
Tsveti Markova (October 11, 2011) How to Prevent a SQL Injection Attack http://www.developerdrive.com/2011/10/how-to-prevent-a-sql-injection-attack/