Welcome to the Webmaster Forum.
Results 1 to 3 of 3
  1. #1
    Senior Member
    Join Date
    Jan 2014
    Location
    Banglore
    Posts
    289

    How do I protect my web site from an SQL injection attack?

    An SQL injection attack occurs when an attacker exploits a legitimate user input mechanism on your site to send SQL code that your unsuspecting script passes on to the database for execution. The golden rule for avoiding SQL injection attacks is: escape all data from external sources before letting it near your database. That rule doesn’t just apply to INSERT and UPDATE queries, but also to SELECT queries .

  2. #2
    Senior Member
    Join Date
    Nov 2015
    Posts
    405

    Re: How do I protect my web site from an SQL injection attack?

    Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database.

    This can be accomplished in a variety of programming languages including Java, .NET, PHP, and more.

    Please consult the following resources for implementing parameterized database queries and preventing SQL Injection in your code base:

    OWASP Guide to SQL Injection (link is external)
    OWASP SQL Injection Prevention Cheat Sheet (link is external)
    Additionally, developers, system administrators, and database administrators can take further steps to minimize attacks or the impact of successful attacks:

    Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors.
    Utilize the principle of least privilege (link is external) when provisioning accounts used to connect to the SQL database. For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site's database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges. In many cases, these privileges can be managed using appropriate database roles for accounts. Never allow your web application to connect to the database with Administrator privileges (the "sa" account on Microsoft SQL Server, for instance).
    Do not use shared database accounts between different web sites or applications.
    Validate user-supplied input for expected data types, including input fields like drop-down menus or radio buttons, not just fields that allow users to type in input.
    Configure proper error reporting and handling on the web server and in the code so that database error messages are never sent to the client web browser. Attackers can leverage technical details in verbose error messages to adjust their queries for successful exploitation.

  3. #3
    Senior Member
    Join Date
    Jan 2016
    Location
    Mumbai
    Posts
    517

    Re: How do I protect my web site from an SQL injection attack?

    Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors.
    Utilize the principle of least privilege (link is external) when provisioning accounts used to connect to the SQL database. For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site's database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges. In many cases, these privileges can be managed using appropriate database roles for accounts. Never allow your web application to connect to the database with Administrator privileges (the "sa" account on Microsoft SQL Server, for instance).
    Do not use shared database accounts between different web sites or applications.
    Validate user-supplied input for expected data types, including input fields like drop-down menus or radio buttons, not just fields that allow users to type in input.
    Configure proper error reporting and handling on the web server and in the code so that database error messages are never sent to the client web browser. Attackers can leverage technical details in verbose error messages to adjust their queries for successful exploitation.


    Deliver2inbox

 

 

Similar Threads

  1. How to protect XML sitemaps?
    By nancyisabell in forum Search Engine Optimization (SEO)
    Replies: 6
    Last Post: 12-16-2019, 01:29 AM
  2. What Is The Best Way To Protect Phone Screen
    By lisatechie in forum General Talk
    Replies: 5
    Last Post: 10-01-2018, 12:15 AM
  3. Cold attack
    By kilato in forum General Talk
    Replies: 1
    Last Post: 04-20-2017, 03:02 AM
  4. How to Prevent SQL Injection
    By SimplySidy in forum PHP
    Replies: 2
    Last Post: 11-10-2014, 05:09 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Back to top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203