How to Prevent SQL Injection
The great news is that there're a lot of solutions that sites and web apps owners can do to prevent an SQLi attack. Even though there isn't a guarantee and 100% solution in network security, you must prepare and educate yourself.
Here're 10 tips how you can minimize the risk of being a target to an SQLi attack.
• Be cautious
: Suppose, all user-submit info can wide open doors to the attack, so apply input validation by a feature as MySQL’s mysql_real_escape_string ()
to make sure that any malicious characters haven't passed to a SQL query through data. You must sanitize each data by filtering user data by context. For instance, email addresses must be filtered to enable only the characters allowed in email addresses or cell phone numbers must be filtered to allow for only the digits enabled in a phone number and so forth.
• Avoid dynamic SQL
: Frequently, the data sanitization techniques could fail, so apply prepared statements, stored procedures or parameterized queries whenever you can. But, consider the fact that while stored procedures restrict some SQLi types, they slip to guard vs. many others, so don’t depend only on their use for your protection.
• Patch and update:
Vulnerabilities in databases and apps that fraudsters can take advantage of have commonly identified, so it's crucial to use patches and updates whenever possible.
• WAF (web application firewall):
WAF whether softer or appliance-based is an excellent solution to filter out malicious data. A firewall can be especially useful to serve some security protection versus a new vulnerability before a patch is available.
• Limit your attack surface:
Remove any database services that you don't use to prevent attacker leverage off it. For instance, the xp_cmdshell
extended stored procedure in MS SQL produces a Windows command shell and make through in a string for execution, which may be very helpful for a fraudster. The Windows operation produced by xp_cmdshell
provides the similar security privileges such as the SQL Server service account.
• Apply sufficient privileges:
Avoid connecting your database through an account with admin-level privileges except you have some strong reason. Using a restricted account is a safer option, and can reduce an attacker malicious executes. Lead by example, the code behind the login page must query the database using an account restricted exclusively to the relevant credentials table. With this approach, a passage through this channel can’t be used to damage the complete database.
• Limited error message:
Attackers obtain themselves with the data about database architecture from error messages, so make sure that they provide minimal info. Apply the (RemoteOnly) custom errors mode or similar wordy error messages on the local computer and at the same time, and make sure that the fraudsters get only the unhandled error message.
• Permanently maintain SQL statements from database-connected apps:
This will provide to detect fake SQL vulnerabilities and comments. Supervising tools that exploit computer learning or behavioral analyses can be beneficial.
• Use adequate softer:
Your code writers must be responsible for checking the code and for fixing security gaps in a custom app before the software installed.