Is a technique in which an attacker inserts malicious code into strings that are later passed to a database for execution.
It exploits applications that formulate SQL statements from user input. Why would someone attempt SQL Injection?
-Obtain and Delete/Change information you have in your database.
-Cause denial of service (DoS) by injecting SQL that takes a long time to run and perhaps lock rows in your database.
Defending Against SQL Injection Attacks:
-Comprehensive data sanitization.
Web sites must filter all user input.
Example: e-mail addresses should be filtered to allow only the characters allowed in an e-mail address and so on.
-Use a web application firewall. Example ModSecurity that provides a
filter to potentially dangerous web requests. Its SQL injection defenses
can catch most attempts to sneak SQL through web channels.
-Limit database privileges by context. Example, the code behind a login
page should query the database using an account limited only.
-Avoid Disclosing Error Information. Use structured exception handling to catch errors and prevent them from propagating back to the client. Log detailed error information locally, & return limited error to client.
Any one of these defenses significantly reduces the chances of a successful SQL injection attack. Although there is no such thing as a 100% guarantee in network security, formidable obstacles can be placed in the path of SQL injection attempts.
Refference:
-SQL Injection Explained :
http://www.youtube.com/watch?v=PB7hWlqTSqs
-How to Prevent SQL Injection :
http://www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html
-How to Protect From SQL Injection in ASP.NET :
http://msdn.microsoft.com/en-us/library/ff648339.aspx
No comments:
Post a Comment