What is SQL Injection and How to Fix it?

When applications use SQL queries to interact with database contain direct user input without performing any validation then there is a possibility for SQL Injection as the applications fail to distinguish between sql code and data values.

Example query for SQL Injection:

[php]
SELECT username, password FROM users_table WHERE username = ‘" +
userName + "’ and password = ‘" + password + "’

For example if user inputs ‘ or’1’=’1 for both username and password
fields in the above query then the interpreter will consider it as
sql code instead of data and execute sql query as the input ‘
or ‘1’=’1 is always true.

The above query changes as following which is a true condition,
gets executed and allows the user to login with privileges of first
user account in the DB which is usually of an administrator.

SELECT username, password FROM users_table
WHERE username = ”or ‘1’=’1′ and password = ”or ‘1’=’1′
[/php]

Impact of SQL Injection:

If applications are vulnerable to SQL injection then an adversary can take advantage

of this weakness and alter the data in database, view data or even worse delete

existing data from database.

How to Fix SQL Injection:

#1. Perform white list input validation as it allows only trusted data to be entered into the application.

#2. Use Prepared Statements with bind variables as it distinguishes between code and data through use of methods such as setInteger(value), setString(value)

#3. Use Stored Procedures that do not construct dynamic sql queries

#4. Use least Privilege mechanism to avoid the damage potential in case of successful exploitation. For example create a first record in DB with least Privileges rather than administrator privileges to avoid damage potential in case an adversary were able to bypass login with a true condition.

Usually most security flaws occur in applications as the developers are unaware of the security weaknesses and build the application as per business requirement. It will be of great help if developers are trained on how to build secure software to avoid vulnerabilities in early stages of SDLC.

Hope this article provided some useful information on SQL Injection. Please share if you like it. Stay updated with the latest cyber security tip and tricks to get secured.

Follow us
WannaCry Ransomware Terror! How to Protect Your Computer From This Malware?
Time to Know About the Benefits of Using Movavi Screen Recorder
Techno World News

If you like This post, you can also Like and follow Techno World News on Facebook . Subscribe to Techno World News feed via RSS. You can also contribute to this blog, if you are interested Email here.

Share
Published by
Techno World News

Recent Posts

7 Key Web Design Principles To Create Impactful Web Experiences

The first instance of a website dates back to November 1992, just a year after…

15 hours ago

Why Your Small Business Needs SEO To Succeed

In today’s digital landscape, having a strong online presence is essential for any business. This…

3 weeks ago

Ultimate Guide to How Encoders Work: Types & Applications

Imagine trying to explain your movement through a crowded room using only the sounds of…

3 weeks ago

10 Best Shopify Apps to Help Grow Your Ecommerce Business

In the ever-evolving world of online commerce, having the right tools at your disposal is…

6 months ago

Eye-Catching Thumbnails: A Powerful YouTube Channel Growth Tool

In the vast landscape of online content, YouTube has emerged as a powerhouse for creators…

7 months ago

Elevating Security Paradigms in Marketing: A Holistic Expedition

In the ever-changing world of digital marketing, strengthening security goes beyond simply supporting firewalls. It…

7 months ago