Defending Against SQL Injection Attacks

In this article cybersecurity student Ozan Agdepe gives us some pro tips for defending against SQL injection.

Defending Against SQL Injection Attacks

SQL injection attacks work by placing malicious code in SQL statements via web page input.  They are one of of the most common web hacking methods and a code injection technique that might destroy your database. In this article we will discuss different ways of defending against SQL injection attacks as I learn them.

Character Filtering

SQL is one of the easiest ways of defending yourself against injection attacks and we can provide protection by filtering the characters in the system. As you know, mostly Sql injection attack methods use characters such as single quotes (') and filtering these characters will partially protect our system. By filtering, we can provide protection by converting one nail into double nails. The code below will work.

<% function sqlsecurity(replacequotes) sqlsecurity="Replace(ReplaceQuotes" ,"'",""") end %>

You can make similar changes on the code by playing around with this method.

Limit Record Lengths

It is infinitely preferable that your site edit text entries according to the length of space allocated to your database. For example, if a maximum of 15 characters are entered in an entry field, no excess characters should be allowed in the field, this is a sensible precaution to take against SQL injection attacks.

Check Record Types

Check the types of data entered in a form that you have prepared. For example, a different type of input can be provided while the corresponding form must be entered. Such a check can be solved by writing simple codes for robustness.

Limit Authorizations

If possible, it would be an advantage for you to connect to the database with restricted privileges, rather than through connection administrator rights. This acts as a useful backstop in case your system falls prey to an injection attack, the attacker will not be able to do much without admin privileges buying you time to remediate.

Use A Whitelist

Everyone recommends setting up the blacklist but an attacker can override the blacklist you set up by modifying combinations. But if you set the whitelist logically, so you can avoid the bad codes and white list the good code to work.

Use GreenSQL

GreenSQL is an (open source and GPL license) DB Firewall application that protects the database against SQL injection attacks, it works with proxy logic and has MySQL compatibility.

GreenSQL analyzes the commands sent by the client, and then sends them to MySQL. It prevents filtering of commands that are not visible and that are not added to whitelist.

That's it for now! these are all that I have read about and researched. This article will be updated in the future as I learn about more defense techniques.

If you want me to add anything to this article ping me on twitter @OAdepe or head on over to my website at https://agdepe.net/. Thanks for reading!

The awesome GIF used in this article is called "Space Injection" and it was created by David Law.