SQL Injection Cheat Sheet: How to Prevent Attacks
SQL injection, or SQLi, attacks are one of the oldest, but most effective cyberattacks out there. Learn how to protect your code.
Join the DZone community and get the full member experience.Join For Free
SQL injection takes place when database software can’t tell the difference between arbitrary data from the user and genuine commands from the application. When an attacker injects commands into the data they send to a database, they can take database control away from the application owner. This can lead to data corruption, leaks of confidential data, or the bypass of essential logic (e.g., authentication, authorization checks).
The good news is that SQL injection is preventable using a special feature that allows database software to separate application commands from user-supplied data. Or, by preventing untrusted user data from going directly to the database.
Let’s look out onto a variety of actionable ways to steer clear of SQL injection attacks.
- Identify SQL Injection Attack Vectors for Your Application and Database Solution
- Check the National Vulnerability Database for known bugs in your chosen database solution.
- After selecting the database solution, analyze available safety features (e.g., parameterized queries). These allow the database to ignore any commands injected into the data that the user supplies.
- Analyze the application’s design to identify potential SQL injection attack vectors. Additionally, highlight data paths where commands containing tainted data may be reused to attack queries that don’t directly accept user data.
- Develop SQL Query Best Practices and Protections
- Write a set of coding standards that anticipate and protect common use cases for SQL database queries.
- Develop and approve safe SQL query templates and make them available for developer use.
- Identify database use cases that are unique to your application. Also, develop custom validation or query building code if parameterization queries aren’t enough.
- Create or customize automated source code scanning tool rules to check for vulnerabilities as the code is being written.
- Educate Developers About the SQL Risks and Protection Methods
- Ensure that developers are familiar with application-specific threats and data sources.
- Provide developers with foundational training about the risks and general mitigations involving SQL injection.
- Specify coding standards and standard SQL query templates. Run training sessions on the standards and templates so that developers clearly understand how to utilize them.
- Find Problems in the Code
- Perform automated testing to detect SQL injection vulnerabilities in the source code.
- Implement manual reviews to ensure that coding standards are followed when a SQL query appears in the code.
- Test for SQL Injection
- Build test cases that attempt to manipulate the database through SQL injection. Run those tests during the QA process.
- Run automated dynamic application scanning tools to further test for SQL injection.
- Bring in a third-party penetration tester. Provide them access to the design documents with which they can then perform white box testing.
- Don’t Add SQL Injection to Your Legacy
- Make sure that safeguarded or privileged SQL queries and routines aren’t exposed to tainted data as new functionalities are added over the life of the application.
- Be vigilant for new SQL injection vulnerabilities that may lurk in third-party software or libraries that your applications depend on.
- Have a plan to securely fix any SQL injection vulnerabilities that make it into production.
- SQL injection is a serious concern. However, with the proper steps, prevention and mitigation can keep your applications securely on course.
Published at DZone with permission of Jamie Boote, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.