We discuss here some SQL injection prevention techniques with SQL injection types also.
An SQL injection is a class of code injection attacks, in which data provided by the user is included in a SQL query in such a way that part of the user’s input is treated as SQL code.
SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements.
SQL injection techniques may differ, but they all exploit a single vulnerability in the application.
Incorrectly validated or not validated string literals are concatenated into a dynamic SQL statement and interpreted as code by the SQL engine.
Types of SQL Injection
Blind or Inferential
Boolean Based: Query to get true and false value until not find the desired result like matching usernames.
Time-Based: Giving time delay to capture the result.
In-band SQL Injection
This occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.
Error Based: Retrieving information from DB errors, vary DB to DB
Union Based: It is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.
In this case, the attacker will provide an SQL injection that will get stored and executed by a separate behavior of the database system.
7 SQL injection prevention techniques
1 Parameterized Statements or query eg.
Bad: “SELECT * from users where username + “ ‘ uname’“”;
Good : SELECT * from users where username = ?, email
Using sprintf or ORM is a good way to querying with DB.
2 Beware of Stored Procedures(Part of ORM Injections)
Wrong: User.where(“name = ‘“+ name + “‘”)
Always use parameterized stored procedures
3 Escaping User Inputs
eg. in search box codes should not be allowed
4 Sanitizing the user inputs
eg. echo sanitize_email(s email@example.com)
Whitespace should not present DB
5 DB error should not be displayed to users
eg. Syntax error near clients ‘ like errors should not be displayed to users
6 Errors should be logged in the file.
7 DB should have the least privilege.