Guides On Fixing Sql Injections Vulnerabilities

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

When attackers can successfully conduct a SQL injection attack, they may be able to:

  • Retrieve information that has not been authorized.
  • Change account information, udating various tables in the tables.
  • Perhaps even remove entire database, i.e. dropping tables or even doing fine-grained editing of the database.
  • Deface web pages.

To prevent the above, attached below are some steps that system administrators can take to prevent their servers from sql injection attacks:

  1. Limit the permissions of the web application when accessing the database. This will not eliminate SQL injection, but will can limit damages associated to SQL injection.

  2. Consider using parameterized stored procedures. This splits up user input into individual parameters, which are fed as isolated elements into stored procedures running on the database and this makes SQL injection more difficult for the attacker.

  3. On the server side, the application should filter user input, by removing:

    • Quotes of all kinds, i.e. , ', ', ", and ".

    • Minus signs (-) Semicolons (;) Asterisks (*) Percents (%) Underscores (_)

    • Other shel/scripting metacharacters

  4. efine characters that are ok (alpha and numeric) and filter everything else out. Filter after canonicalization of input.


  5. pache's mod_security offers solid filtering features. Pls refer to the link below for details:

  6. For those characters you really need, introduce an escape sequence or substitute. Apostrophe can be changed to &ap, less than can become < and so on.

References:

Feedbacks can be directed to MyCERT.

Produced in 10th April 2008 by MyCERT, CyberSecurity Malaysia,
an agency under the Ministry of Science, Technology and Innovation (MOSTI).

Revision History:
Initial Release: 10th April 2008

Back