SQL: Attacks and Ways to Defend{6}


by Penny P
Internet, communications, and computer network technology has been growing at a very fast rate. With the use of SQL in web applications, databases and operating systems have been the target of SQL attacks.  Applications on the server-side use SQL statements to perform patchwork for the database. This makes it possible for an attacker to submit their malicious SQL statements. Some main forms of SQL attacks include: bypassing authentication (logging on to the system with administrative privileges), making key operations of the database (adding additional illegal SQL statements into the normal SQL statements which can lead to key operations such as deleting, modifying, and adding data), and executing system commands of the database (taking advantage of the feature that allows developers to call in the database to execute their commands). Protection for the ordinary user includes: filtering out the illegal characters so it prevents the modification of SQL commands. They could also try to run the query with a stored procedure to avoid dynamically constructed statements. User privileges could be restricted and checking the records returned with the expected results when a query is run. Protection for administrators include: using the user name and password to login and using hardware encryption lock.

I liked this article because it explained some of the key ways people can use SQL statements to perform malicious acts. It’s interesting to know that people will take advantage of any weakness that they can find. If the developers didn’t create their database properly, they could be victim to and SQL attack. The authors also provided some steps that users and administrators could follow in order to prevent SQL attacks from happening to them. It looks like people have to be extremely careful when they construct their database. If they forget to secure things properly, they could end up being attacked with SQL statements.

 

Reference:

Yan, Yi; Zhengyuan, Su; Zucheng, Dai. (2011). “The Database Protection System Against SQL Attacks.” Computer Research and Development (ICCRD). (March 2011) P. 99-102. Retrieved from http://0-ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnumber=5764254&isnumber=5764189