What are SQL Injections, how to prevent them and what are best practised?

8/12/2019 8:37:32 PM

[INACTIVE] Roosevelt

13 Answers

New Answer


SQL injection is an attack that consists of inserting malicious and unauthorised SQL code into text fields of a web page (forms). To prevent this attack, inserted texts have to be verified before submitting (special characters have to be prevented).


SQL injection is the insertion of SQL command into the backend of an app which is likely will affects its database, like deleting a row of data, changing admin password, deleting a whole database and much much more. You can prevent this by sanitizing every single input field that you get from the user. From the address bar to the input tag in the "contact me" form. You would also need to use prepared statements when constructing a SQL queries to prevent the attacks when there's a flaw in the sanitizing of data.


This is by far the best explanation you can find online: https://www.xkcd.com/327/




By use of prepared statements generally. Also, in PHP, make use of mysqli_real_escape_string function


SQL injection is basically an injection of sql. One way it can appear is when someone put an sql quary in an input and injecting it with his own commands. For the example if the backend (for instance nodejs web server) decided to store all the usernames that the frontend gave it in a database (with Sqlite for instance) the server can do it like this: db.run("INSERT INTO Users(`" + username + "`);"); So simply i put the username string into the table as string, so If put the usernames jack, potato The quaries will look like this: INSERT INTO Users('jack'); INSERT INTO Users('potato'); and the table would show something like this: Users | name jack potato But what if I will use characters like the single quote ` that symbolizes string we can easily break the quary and mess up with the database from the frontend. So if I'm typing in the input something like this: `); DROP TABLE Users;-- In this input quary I just break the sql string and I put my command to drop the users table.


Now the full quary looks like this: INSERT INTO Users(''); DROP TABLE Users;--'); First we close the quote and wrote our quary and than we put the ending of it as a comment (dash dash -- is comment in Sqlite). Now the backend lost data because we injected the quary (This is one example of what sql injection can cause). The way to prevent sql injection in the most of the cases is use prepared statements and parameterized quaries, I will give you one example of parameterized quary that we could use to prevent injection on the last example. Instead of: db.run("INSERT INTO Users(`" + username + "`);"); Use: db.run("INSERT INTO Users(?)",username); Parameterized function can get parameters that will be replaced by some placeholder (in this case the '?'). These are the best ways to prevent sql injection and today most of the language are supporting it. Another ways to prevent sql injection is to unescape character by yourself or prevent data with bad character (depending on what the backend need)


It's a kind of security hack that enables the attacker to execute DDL / DML commands, usually using administrator privileges, to cause damage to the production database, by parsing an inline SQL query to do the needful 👿


Thoq! LOL


SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database. An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain unauthorized access to your sensitive data: customer information, personal data, trade secrets, intellectual property, and more. Attackers can use SQL Injections to find the credentials of other users in the database. They can then impersonate these users. The impersonated user may be a database administrator with all database privileges. SQL lets you select and output data from the database. An SQL Injection vulnerability could allow the attacker to gain complete access to all data in a database server. SQL also lets you alter data in a database and add new data. For example, in a financial application, an attacker could use SQL Injection to alter balances, void transactions, or transfer money to their account. You can use SQL to delete records from a database, even drop tables. Even if the administrator makes database backups, deletion of data could affect application availability until the database is restored. Also, backups may not cover the most recent data. In some database servers, you can access the operating system using the database server. This may be intentional or accidental. In such case, an attacker could use an SQL Injection as the initial vector and then attack the internal network behind a firewall.


SQL injection is one of the most common web attack mechanisms utilized by attackers to steal sensitive data from organizations. While SQL Injection can affect any data-driven application that uses a SQL database, it is most often used to attack web sites. SQL Injection is a code injection technique that hackers can use to insert malicious SQL statements into input fields for execution by the underlying SQL database. This technique is made possible because of improper coding of vulnerable web applications. These flaws arise because entry fields made available for user input unexpectedly allow SQL statements to go through and query the database directly. The following are the three types of SQL injection attacks: Union-Based SQL Injection. It is the most popular type of SQL injection. . . To keep your database safe from the SQL Injection Attacks, you can apply some of these main prevention methods: 1. Using Prepared Statements (with Parameterized Queries) 2. Using Stored Procedures 3. Validating user input 4. Limiting privileges 5. Hidding info from the error message 6. Updating your system 7. Keeping database credentials separate and encrypted 8. Disabling shell and any other functionalities you don’t need . . Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database. This can be accomplished in a variety of programming languages including Java, .NET, PHP, and more. A common misconception is that input filtering and escaping can prevent SQL Injection. While input filtering can help stop the most trivial of attacks, it does not fix the underlying vulnerability. In many cases, input filtering can be evaded by attackers leaving your web application vulnerable despite attempts to, for example, blacklist certain characters on a web form.


You can read 24 Deadly Sins of Software Security for a good overview and practical tips.


https://medium.com/@osagienoah04/fathomable-python-programming-beginner-to-advance-d02bdc5474bc check it out and give it a clap. Thanks...