SQL: Attacks and Ways to Defend

by Penny P
Internet, communications, and computer network technology has been growing at a very fast rate. With the use of SQL in web applications, databases and operating systems have been the target of SQL attacks.  Applications on the server-side use SQL statements to perform patchwork for the database. This makes it possible for an attacker to submit their malicious SQL statements. Some main forms of SQL attacks include: bypassing authentication (logging on to the system with administrative privileges), making key operations of the database (adding additional illegal SQL statements into the normal SQL statements which can lead to key operations such as deleting, modifying, and adding data), and executing system commands of the database (taking advantage of the feature that allows developers to call in the database to execute their commands). Protection for the ordinary user includes: filtering out the illegal characters so it prevents the modification of SQL commands. They could also try to run the query with a stored procedure to avoid dynamically constructed statements. User privileges could be restricted and checking the records returned with the expected results when a query is run. Protection for administrators include: using the user name and password to login and using hardware encryption lock.

I liked this article because it explained some of the key ways people can use SQL statements to perform malicious acts. It’s interesting to know that people will take advantage of any weakness that they can find. If the developers didn’t create their database properly, they could be victim to and SQL attack. The authors also provided some steps that users and administrators could follow in order to prevent SQL attacks from happening to them. It looks like people have to be extremely careful when they construct their database. If they forget to secure things properly, they could end up being attacked with SQL statements.

 

Reference:

Yan, Yi; Zhengyuan, Su; Zucheng, Dai. (2011). “The Database Protection System Against SQL Attacks.” Computer Research and Development (ICCRD). (March 2011) P. 99-102. Retrieved from http://0-ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnumber=5764254&isnumber=5764189

6 thoughts on “SQL: Attacks and Ways to Defend”

  1. Further proof that as a new language to learn about, SQL can prove to be quite fun when we cover it in class. It is kind of strange (and bothersome) how a programming language devoted entirely to database can have so many malicious applications and possibilities. What we will learn in class will most likely be basic syntax and example statements of how to manipulate data – and yet when the experienced get their hands on it, it is a fully functional weapon that can be utilized against businesses and other susceptible organizations. Luckily, there are many who attempt to find exploits simply for the sport of it, or as externally hired security consultants. Either way, it has the capacity to simultaneously thrill and terrify us….

    Great article. Cheers!

  2. Great article. I didn’t know that we can use SQL statements to prevent malicious acts. This article is very helpful. Thank you for posting article.

  3. It is amazing to know how far some people will go, in order to cause malicious harm. I can see how important it is to properly design your SQL Server. The only problem is that hackers will never stop trying to infiltrate an important database. There will always be a way in, and developers will need to update and improve their system in an effort to stop the cyber crime.

  4. That is a very interesting and cool article. I didn’t know that it could be possible for a web application to be maliciously attacked using SQL. This is something I would definitely like to learn more about not only on how SQL can be used to attack an application but how one can specifically defend it.

  5. This was very informative. Not only did it talk about how to write code to perform malicious intent but the article also provided guidance on what a user can do to prevent this kind of attack. People need to be careful with their databases because as we can see, they are prone to attacks. The only thing we as users can do is to make sure that we take the necessary precautions to protect our databases because there are always going to be people who will try to corrupt it.

  6. Great article. I didn’t know that we can use SQL statements can prevent malicious acts. This article is very helpful. Thank you for posting article.

Comments are closed.