HostGator Web Hosting
Advertise With UsContact us here regarding advertisements queries.

What is SQL Injection and How to Fix it?

sql injection

When applications use SQL queries to interact with database contain direct user input without performing any validation then there is a possibility for SQL Injection as the applications fail to distinguish between sql code and data values.

Example query for SQL Injection:

SELECT username, password FROM users_table WHERE username = '" +
userName + "' and password = '" + password + "'

For example if user inputs ' or'1'='1 for both username and password 
fields in the above query then the interpreter will consider it as 
sql code instead of data and execute sql query as the input ' 
or '1'='1 is always true.

The above query changes as following which is a true condition,
gets executed and allows the user to login with privileges of first 
user account in the DB which is usually of an administrator.

SELECT username, password FROM users_table 
WHERE username = ''or '1'='1' and password = ''or '1'='1'

Impact of SQL Injection:

If applications are vulnerable to SQL injection then an adversary can take advantage

of this weakness and alter the data in database, view data or even worse delete

existing data from database.

How to Fix SQL Injection:

#1. Perform white list input validation as it allows only trusted data to be entered into the application.

#2. Use Prepared Statements with bind variables as it distinguishes between code and data through use of methods such as setInteger(value), setString(value)

#3. Use Stored Procedures that do not construct dynamic sql queries

#4. Use least Privilege mechanism to avoid the damage potential in case of successful exploitation. For example create a first record in DB with least Privileges rather than administrator privileges to avoid damage potential in case an adversary were able to bypass login with a true condition.

Usually most security flaws occur in applications as the developers are unaware of the security weaknesses and build the application as per business requirement. It will be of great help if developers are trained on how to build secure software to avoid vulnerabilities in early stages of SDLC.

Hope this article provided some useful information on SQL Injection. Please share if you like it. Stay updated with the latest cyber security tip and tricks to get secured.

What is SQL Injection and How to Fix it?
4.5 (90.77%) 13 votes

Techno World News
Follow us

Techno World News

If you like This post, you can also Like and follow Techno World News on Facebook . Subscribe to Techno World News feed via RSS. You can also contribute to this blog, if you are interested Email here.
Techno World News
Follow us
WannaCry Ransomware Terror! How to Protect Your Computer From This Malware?
Time to Know About the Benefits of Using Movavi Screen Recorder

Wanna Say Something?

Loading Facebook Comments ...

Add a Comment