Tuesday, February 14, 2006

Sql Injection - Protect your applications

Sql Injection. Whats it it?
Its injecting sql server with scripts that can potentially break the security barriers of the application/server.
SQL injection is a security vulnerability that occurs in the database layer of an application, Its is not a SQL Server problem, but a problem with improperly written applications.

Audience:
Any one who develops/test applications that use sql statements.
Hey developers check it on all your applications that you have written so far (i checked it.. fortunately it didnt break any of my code)
SQL injection - protect your applications.

What can it do?
One or more of the following based on your application implementation
  • Hackers easily get authenticated on your application.
  • Hackers (even a simple db aware guy can do this) can read most of your table data.
  • Change most of the data of your DB.
  • Delete records from your tables.
  • Restart your webserver.
  • Shutdown your database. Can you think of anything worse than this for your application?

    Very simple example of Sql injection.
    Most of the applications have login screen, try entering following as
    login name: test' or 1=1 --
    password: anything
    An example of sql string created by any simple application vulnarable to sql injection is

    select * from users where username='test' or 1=1 -- and password='anything'

    This is how its evaluated to true, and the first level of entry.. successful.
    Curious to know other ways of injecting sql server? Read the article

    How to avoid sql injection?
  • Limit access to admin account by creating seperate applcation account.
  • Restrict user input lengths.
  • Strip off all quotes(if they are not expected).
  • Filter out sensitive db keywords (potential threats) from your inputs (Like select, drop, _xp etc).

    With such few additional validations/coding you can make your application safe from sql injection attacks. Happy coding.
  • 3 comments:

    Joel said...

    Good article!

    sanjaykattimani said...

    :) thanks.

    Mahesh kumar R said...

    Good article & collections !! I've added urs RSS feed.
    Keep bloggin & keep sharin.
    Mahes