How to Reduce Damage from SQL Injection {1}

by Tseng H. K.
The article I read this week is “How to Prevent a SQL Injection Attack” by Tsveti Markova. Since many of us mentioned SQL injection on their post this and last week, I decided to look for ways to prevent/reduce damages from SQL injection attack. I choose this article because most of other articles are coding basis it was hard to understand. Since we just started to learn SQL quries, I wanted to look for more basic prevention principles that apply any programming language without knowing high level coding skills. read more...

Fear of Injections? {Comments Off on Fear of Injections?}

by Han C
No, I’m not talking about hypodermic needles. This article explains the mystery behind SQL injections and offers a few suggestions on how you can protect yourself from an injection attack. SQL injections are extremely common and very easy to exploit. Yes, I know. Your job as a database administrator just became that much sweeter, right? Fear not because the best countermeasures are simply to identify vulnerabilities yourself and test the safety of your system in a controlled environment first. SQL injections occur when malicious code is embedded into the content of a parameter. In other words, a attacker can attempt to trick the system into forwarding a query to the database in an effort to gain more information. The article explains that these types of attacks are quite simple to execute and even offers a sample or two. One reason that SQL injections are so prominent is because more tools are being developed everyday which can be used by attackers to scan for such vulnerabilities. The article explains that one of the easiest ways to prevent this from happening is to avoid accessing external interpreters whenever possible. Another important thing to remember is to ensure that web applications only run under the necessary privileges. Any user commands should be rigorously checked and rechecked against for unexpected outcomes. The bottom of the article offers a code reviewing guide and an SQL injection prevention cheat sheet. read more...