In my previous blog I discussed some of the major cyberthreats companies face from daily operations, namely Ransomware and Phishing attacks. In part two of my blog series will be focused on mitigations and how web developers can prevent these attacks from happening. In this blog installment, I will be focusing on SQL Injections, what it is and how it can be prevented.
SQL Injection, or abbreviated as SQLi, is a type of attack to applications that abuses the vulnerability of user inputs to hack the database underneath the presentation layer of the application. According to reports, SQLi is still the number one threat to websites because it’s referred to as the easiest way to hack a website.
How it works is relatively simple: A hacker would inject SQL commands in a user entry field which is passed to the server and once that SQL command is passed to the database, that command is executed. To illustrate this, let’s take for example a website with a “sign up” page where users can input their first name, last name, address and credit card number. Once the user fills the details in and clicks on the “Sign up” button, these details are passed to the server and is saved to the database. Now, suppose a hacker goes into the same website, and instead of inputting correct details, he/she places SQL commands in the fields such as “First name: ‘select * from UserRecords and ‘’=’”. If the website doesn’t have the necessary mitigations to stop these kinds of attack, this command will get executed from the page to the database and the site will return all records from that database table. This would cause the site to mistakenly provide all information (e.g. names, credit cards, etc.) to the hacker and can be used maliciously. Not only that, a hacker can potentially do harm within the database such as delete a table, alter their data, provide access to other people, etc. the potential is limitless.
Fortunately, there are ways to prevent SQLi attacks from happening. The simplest and easiest way is to introduce prepared statements (or stored procedures) with parameterized queries for database calls from web pages. By doing this it will prevent a string to be passed to the database as a parameter and it would not be able to pass out the normal SQL command backend and would ensure that an attacker won’t be able to alter the intent of the query. Additionally, developers can opt to do validation before the page submits a request to the server. Before the page posts back, the developer can strip off/error out potential escape characters in the input field to avoid the command getting executed.
While SQLi is ranked as the number one type of cyber-attack to a website, there are still easy ways to mitigate this issue in order to protect your company’s valuable assets.
This post was written by Jonathan Martin, COO at Evolution Business Systems.
His expertise extends to software development, support, implementations and project management, he can envisage potential problems and identify them to improve the client experience and outcomes, like a mad scientist, behaviour, statistics and data are where he gets his insights from and lives by a golden rule to always start at the beginning as there are no shortcuts. Jonathan’s passion is to make a difference by assisting clients with their business problems.