Tips to Reject the SQL Inject

by Arlyn R
Gery Menegaz’s article (2012), “SQL Injection Attack: What Is It, and How to Prevent It,” is an informative response to Yahoo!’s recent SQL injection attack. The article warns that websites are frequently attacked because there are many websites that have SQL injection vulnerabilities and their databases hold sensitive information and “critical application information (Menegaz).” The author also advises that SQL injection is well documented, yet many websites still leave the databases exposed even though attacks can be very simple to prevent. Menegaz, also includes in the article code that anyone can use to find forums and websites that show how to attack vulnerable websites and databases. The article’s author recommends the “SQL Injection Prevention Cheat Sheet” on The Open Web Application Security Project (OWASP) website to combat SQL Injection. OWASP’s cheat sheet consist of primary techniques which are: use of parameterized queries, use of stored procedures, escaping all user supplied input. Additional (secondary) defenses include minimizing privileges to every database account (least privilege) and white list input validation. In this article Menegaz summarizes OWASP’s SQL Injection Cheat Sheet. Details on the specific techniques can be found at the url https://www.owasp.org/ index.php/SQL_Injection_Prevention_Cheat_Sheet.

I found this article very relevant to chapter eight of our textbook which briefly covers dynamic SQL. The author even suggests to research further on SQL Injection because dynamic SQL “… is used to generate SQL on the fly while an application is processing (Hoffer, Ramesh, Topi 322)” which is code that can make the database vulnerable malicious alteration. Menegaz provided a great resource authored by the Open Web Application Security Project, SQL Injection Cheat Sheet. OWASP is a resource that I am sure will prove useful throughout my academic and professional career.

Menegaz’s article provided some astounding evidence on how readily available and accessible information is for hackers. By simply Googling inurl:article.php?id= appended to a targeted website address, the author found a forum that discusses the targeted websites vulnerabilities and hackers can collaborate on injection code. I remember someone previously blogging about a group of high school hackers and how easy it was but it is astonishing that huge organizations like Yahoo!, Sony (PS3 account compromises), and others lay vulnerable even though Menegaz and OWASP say it is can be easily prevented.

Menegaz, G. (2012, July 13). SQL Injection Attack: What Is It and How to Prevent It. Retrieved from http://www.zdnet.com/sql-injection-attack-what-is-it-and-how-to-prevent-it-7000000881/. Retrieved on November 11, 2012.

2 thoughts on “Tips to Reject the SQL Inject

  • November 11, 2012 at 11:50 pm
    Permalink

    Despite how easily preventable the injections may be, it still doesn’t stop the hackers because there will always be a way to crack the system and the information is too easily accessible. Nevertheless, this neither gives company and website owners the excuse to leave their databases vulnerable.

  • November 12, 2012 at 2:20 pm
    Permalink

    I enjoyed the fact that this author is trying to provide solutions to help make SQL injections less effective. SQL injections are one of the most effective and commonly used attacks on a company to access their data. Unfortunately, this will not completely stop hackers as they will constantly find new ways to compromise a system. I don’t see this issue ever going away, it’ll be more like a tug of war. Neither side will give up but neither side will have completely won.

Comments are closed.