How to Check Text Inputs for SQL Injection Attacks in Java
Learn how to detect SQL injection attacks from text input(s) using an API in Java.
CORE
·
Join the DZone community and get the full member experience.
Join For FreeSQL (Structured Query Language) injection is a code injection technique used to attack data-driven applications; the SQL statements are inserted into an entry field for execution and wreak havoc from there. This type of attack tends to seek and target existing security vulnerabilities within websites or other databases to acquire access to sensitive information. For example, if the field of an online form is coded incorrectly, this provides an opening for the malicious user to sneak in SQL commands that the system will consider valid and return a response containing information that can be leveraged to access the data and manipulate, modify, or destroy it from there.
Despite the growing number of organizations that have reported successful SQL injection attacks, this type of threat is often underestimated in comparison to other cyber-crimes. Due to their reliance on check-out forms for their websites, retail companies have shown to be particularly susceptible to these threats. While standard firewalls may aim at protecting your website or application from SQL injection, the potential for failure can cause serious damage and data loss for your company. The following APIs can assist in providing supplementary protection by detecting SQL injection attacks from single or multiple text inputs, and will even define the threat detection level you want to utilize.
To run the APIs in Java, we will first install the Maven SDK by adding a reference to the repository:
<repositories>
<repository>
<id>jitpack.io</id>
<url>https://jitpack.io</url>
</repository>
</repositories>
Then we will add a reference to the dependency:
xxxxxxxxxx
<dependencies>
<dependency>
<groupId>com.github.Cloudmersive</groupId>
<artifactId>Cloudmersive.APIClient.Java</artifactId>
<version>v3.90</version>
</dependency>
</dependencies>
Now for our first API, we will be checking a singular text input for SQL injection. The only parameters that need to be included are:
- User-facing text input: the target text input string.
- API key: your personal API key; this can be retrieved by registering for a free account on the Cloudmersive website.
- Detection level (optional): threat detection level for the process; set to Normal to target a high-security SQL Injection detection level with a very low false-positive rate; select High to target a very-high security SQL Injection detection level with higher false positives. Default is Normal (recommended).
We can input the above information into the following code to call our validation function:
xxxxxxxxxx
// Import classes:
//import com.cloudmersive.client.invoker.ApiClient;
//import com.cloudmersive.client.invoker.ApiException;
//import com.cloudmersive.client.invoker.Configuration;
//import com.cloudmersive.client.invoker.auth.*;
//import com.cloudmersive.client.TextInputApi;
ApiClient defaultClient = Config uration.getDefaultApiClient();
// Configure API key authorization: Apikey
ApiKeyAuth Apikey = (ApiKeyAuth) defaultClient.getAuthentication("Apikey");
Apikey.setApiKey("YOUR API KEY");
// Uncomment the following line to set a prefix for the API key, e.g. "Token" (defaults to null)
//Apikey.setApiKeyPrefix("Token");
TextInputApi apiInstance = new TextInputApi();
String value = "value_example"; // String | User-facing text input.
String detectionLevel = "detectionLevel_example"; // String | Set to Normal to target a high-security SQL Injection detection level with a very low false positive rate; select High to target a very-high security SQL Injection detection level with higher false positives. Default is Normal (recommended).
try {
SqlInjectionDetectionResult result = apiInstance.textInputCheckSqlInjection(value, detectionLevel);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling TextInputApi#textInputCheckSqlInjection");
e.printStackTrace();
}
The returned response will simply indicate if an SQL injection attack was found. Now for our next API, we will detect SQL injection attacks from multiple text inputs in batch by using the following code:
xxxxxxxxxx
// Import classes:
//import com.cloudmersive.client.invoker.ApiClient;
//import com.cloudmersive.client.invoker.ApiException;
//import com.cloudmersive.client.invoker.Configuration;
//import com.cloudmersive.client.invoker.auth.*;
//import com.cloudmersive.client.TextInputApi;
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure API key authorization: Apikey
ApiKeyAuth Apikey = (ApiKeyAuth) defaultClient.getAuthentication("Apikey");
Apikey.setApiKey("YOUR API KEY");
// Uncomment the following line to set a prefix for the API key, e.g. "Token" (defaults to null)
//Apikey.setApiKeyPrefix("Token");
TextInputApi apiInstance = new TextInputApi();
SqlInjectionCheckBatchRequest value = new SqlInjectionCheckBatchRequest(); // SqlInjectionCheckBatchRequest | User-facing text input.
try {
SqlInjectionCheckBatchResponse result = apiInstance.textInputCheckSqlInjectionBatch(value);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling TextInputApi#textInputCheckSqlInjectionBatch");
e.printStackTrace();
}
The only parameters required for the operation to run smoothly are the API key and the user-facing text inputs as shown in the following example string:
{
"RequestItems": [
{
"InputText": "string"
}
],
"DetectionLevel": "string"
}
To keep things as simple as possible, the output from the operation will preserve the order of the text inputs.
And that’s it! Integrating this protection into your site or database will keep you safe from those custom-made and easy-to-miss SQL injection threats. If you have questions on either of these APIs, feel free to contact our sales team here; they’re always happy to help.
Opinions expressed by DZone contributors are their own.
Comments