What_is_SQL_Injection

Transcript

Expand
What is SQL injection?

SQL injection (SQLi) is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. A SQL injection attack occurs when a web application does not validate input values from i.e. an input parameter or a web form before passing them to SQL queries that will be executed on a database server.

An example:

User access

Simple ColdFusion query >> http://www.domain.com/file.cfm?CustID=100 >> resulting SQL statements >> SELECT

  • FROM Customers WHERE CustID=100 Hacker access

    Inject malicious codes >> http://www.domain.com/file.cfm?CustID=100;DELETE Customers >> resulting SQL statement >> SELECT

  • FROM Customers WHERE CustID=100;DELETE Customers >> Deletes all data from the customers table

    SQL injection by the numbers
    • SQL injection accounts for almost 26% of all web application attacks. Akamai’s state of the Internet report.
    • The average cost for a minor SQL injection attack exceeds $196,000. Global Threat Intelligence Report.
    • On average , it will take nearly 140 days to discover a SQL injection breach. The SQL Injection Threat Study by DB Networks.
    SQL injection vulnerability rates for web applications written in…
    • Java 21%
    • .NET 29%
    • PHP 56%
    • ColdFusion 62%
    • Microsoft ASP 64%

    Protecting against SQL injection attacks

    Separate code from data
    • First: Code. Create query template.
    • Then: Add data. Fill in the parameters using the API.
    • Last: Submit the query.
    Validate input data
    • Data integrity: Data has not been tampered with.
    • Data validation: Limit check, data type, format and character check.
    • Business rules: Make sure your data follows your business rules.
    • Do not perform black-list validation.
    • Always use white-list validation
    Assign least privileged access

    Reduce the risk of a potential SQLi attack by minimizing the access privileges to your database. SQL Compliance Manager and SQL Secure help protect against SQL injection by identifying and alerting abnormal activities and providing real-time auditing of all login activity to SQL Server.

  • SQL Secure Start SQL Secure for FREE SQL Compliance Manager Start SQL Compliance Manager for FREE Tell us about your SQL Injection attack experience

    What is SQL Injection?

    SQL Injection (SQLi) is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. A SQL injection attack occurs when a web application does not validate input values from i.e. an input parameter or a web form before passing them to SQL queries that will be executed on a database server. Separating code from data, validating input data, and assign least privileged access are some ways to protect against SQL injection attacks.

    IDERA SQL Compliance Manager and SQL Secure help protect against SQL injection by identifying and alerting abnormal activities and providing real-time auditing of all login activity to SQL server. Learn More at →

    Start a FREE Trial of SQL Compliance Manager
    Share This
    Contact IDERA:
    +1 (713) 523-4433