SQL Injection Is a Common Method of Hacking Web Applications and Sites

SQL injection is one very common method of hacking sites and web applications that work with relational databases.

This method is based on the introduction of an arbitrary SQL code, transmitted by an attacker, into a request to the database executed by the application. SQL injections are one of the types of code injection attacks.

SQL injections, depending on the type of vulnerability, may allow an attacker to execute an arbitrary request to the database. That is, the attacker will be able to read the contents of any tables, delete, change or add data, and there is also a possibility of obtaining the ability to work with local files and execute arbitrary commands on the attacked server.

Consequences of SQL injections

• Data theft
• Modification of data
• Data deletion
• Full hacking of the system

SQL injection type attacks become possible due to incorrect processing of input data by the application. Developers of sites and applications working with relational databases should be aware of such vulnerabilities and take countermeasures.

From the point of view of the security of the site or web application, the most correct is the filtering of all received data (the application, in principle, should not accept the parameters that were transmitted for unknown reasons) and the thoughtful processing of those parameters that are used to build a request to the database.

To prevent SQL injections, the main directions of input data processing should be:

• escaping special characters in the received string parameters (universal method)
• conversion of the received data to the type expected by the application (works well on the Boolean type and on numbers)
• normalization and cleaning of the received parameters with regular expressions (similar to type conversion, but works for more complex parameters)
• validation of received parameters according to reference books (often the list of expected parameters is known and limited)
• truncation of the obtained parameters (the length of the injections is usually quite long)
• the use of parameterized requests (the request is sent separately from the parameters, the parameters in this case are screened automatically)
• correct use of client libraries and ORM capabilities (libraries for working with DBMS and ORM usually well document their correct use from the point of view of security)
• filtering by keywords and the subsequent ban of the attacker (a measure that complicates scanning for vulnerabilities).

To discover more about how Swan Software Solutions can help with your technology needs, schedule a free assessment.