Prevent SQL Injections{Comments Off on Prevent SQL Injections}

by Stefan S
The article talks about eight techniques to block SQL injections. According to Schwartz, SQL injection attacks hit Web applications 71 times per hour on average, but can peak at 1,300 attacks per hour or more. California base company called Imperva has created data security platform called SecureSphere, which protect databases, files and web application against threats from hackers. The number of SQL injection increased by 83% since 2005 (Schwartz, M.J., 2011).The author said the eight techniques are follows:
“1.Blacklist malicious hosts. Choose the right hosts.
2.Pool resources.Business that share intelligence on SQL injection attacks could have a better picture of which hosts were launching such attacks.
3.Minimize access. Restrict the data that given Web application can retrieve from database.
4.Encrypt data. Never store data in plain text format.
5.Distrust users. “All input is evil.”
6.Profile applications. Understand normal Web application behavior, eliminate suspicious lookups than normal or using unusual inputs.
7.Normalize inputs. Normalize database inputs
8. Watch for automation. SQL injection attacks are launched using automated tools.”
(Schwartz, M. J. (2011)

We can relate this incident to our class because when we are doing a project we need to see from macro to micro, every detail counts. Sometimes our tendency with project is just to get the project done, instead of seeing the structure and take precaution step to what we input into. In real business world every input is important because one simple mistake can jeopardize company vulnerable asset.

In my opinion having a third company to audit or double check our work is great. Hiring company like Impreva would be a great idea and can be cost effective in the long run. With liabilities issues with customer, third party company will be fully responsible to protect the data of particular company.

Schwartz, M. J. (2011). 8 techniques to block SQL attacks. Informationweek – Online, (19383371), n/a. Retrieved from