Tips to Reject the SQL Inject{2}


Gery Menegaz’s article (2012), “SQL Injection Attack: What Is It, and How to Prevent It,” is an informative response to Yahoo!’s recent SQL injection attack. The article warns that websites are frequently attacked because there are many websites that have SQL injection vulnerabilities and their databases hold sensitive information and “critical application information (Menegaz).” The author also advises that SQL injection is well documented, yet many websites still leave the databases exposed even though attacks can be very simple to prevent. Menegaz, also includes in the article code that anyone can use to find forums and websites that show how to attack vulnerable websites and databases. The article’s author recommends the “SQL Injection Prevention Cheat Sheet” on The Open Web Application Security Project (OWASP) website to combat SQL Injection. OWASP’s cheat sheet consist of primary techniques which are: use of parameterized queries, use of stored procedures, escaping all user supplied input. Additional (secondary) defenses include minimizing privileges to every database account (least privilege) and white list input validation. In this article Menegaz summarizes OWASP’s SQL Injection Cheat Sheet. Details on the specific techniques can be found at the url https://www.owasp.org/ index.php/SQL_Injection_Prevention_Cheat_Sheet.

I found this article very relevant to chapter eight of our textbook which briefly covers dynamic SQL. The author even suggests to research further on SQL Injection because dynamic SQL “… is used to generate SQL on the fly while an application is processing (Hoffer, Ramesh, Topi 322)” which is code that can make the database vulnerable malicious alteration. Menegaz provided a great resource authored by the Open Web Application Security Project, SQL Injection Cheat Sheet. OWASP is a resource that I am sure will prove useful throughout my academic and professional career.

Menegaz’s article provided some astounding evidence on how readily available and accessible information is for hackers. By simply Googling inurl:article.php?id= appended to a targeted website address, the author found a forum that discusses the targeted websites vulnerabilities and hackers can collaborate on injection code. I remember someone previously blogging about a group of high school hackers and how easy it was but it is astonishing that huge organizations like Yahoo!, Sony (PS3 account compromises), and others lay vulnerable even though Menegaz and OWASP say it is can be easily prevented.

Menegaz, G. (2012, July 13). SQL Injection Attack: What Is It and How to Prevent It. Retrieved from http://www.zdnet.com/sql-injection-attack-what-is-it-and-how-to-prevent-it-7000000881/. Retrieved on November 11, 2012.