SQL Injections And Preventing Them

by David L
The article I read this week is titled “The Analysis of Database Remote Attack Defense” by Shuguang Wang and Shao Qian. The authors start off by saying that due to the popularity of the Internet, and the developments of database technology, that database security is very important and has a direct effect ranging from success of an enterprise, to national security (Wang & Qian, 2010). Because all the databases using SQL are prone to SQL injections, everyone should take measures to prevent unauthorized access into their database(s). The 4 steps that the author describes in attacking a database are :

1. Judge the flaws in the website database

2. Confirm the attack points of the database’s remote websites

3. Get all the information of all the tables in current database

4. Destroy all data tables

Examples of the SQL attacks used on a real website are in the article.

Then the authors move into how to protect your database by filtering out and limiting the range of access users have. And to also better protect your database, they suggest that an “access machine” operate between the database and the web server. This way, users do not have “direct” access to the database. The authors state that “We should also realize that the flaws in application programs can’t be solved only by changing the settings on the server” (Wang & Qian 2010). But we need to dissect the incoming code and check parameters to prevent unauthorized access.

In class we have discussed briefly on SQL injections, and we could include the steps provided in this article to practice securing our own databases. Also the “guide” on preventing SQL injections can a useful reference in the future. Database assessment and security is a valued skill that employers would like. This whole article is more like an introduction to database security by starting off learning how to limit access of users by preventing certain SQL commands like select, update, delete etc.

 

Shuguang Wang & Shao Qian. “ The Analysis of Database Remote Attack Defense” Intelligence Information Processing and Trusted Computing (IPTC), International Symposium (2011). IEEE Xplore Digital Library. 28 October 2010 – 29 October 2010. Web. 3 June 2012. <http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=5663271>