SQL Injection


SQL Injection




What Does Sql Injection Mean

• First, there is a software defect
• That defect results in a security vulnerability (or just vulnerability)
 • A vulnerability is a weakness for certain types of attacks on the security of the application
 • One of the possible attack types is an SQL Injection
• So, if you have a vulnerability that permits SQL Injection attacks, you have an SQL Injection vulnerability
 • Why are we talking about this before we know more about security?


The SQL Injection Attack

• SQL is “Structured Query Language” • It is a standardized language for accessing databases

• Examples
• select name from employee where ssn=‘123456789’
 • select name, ssn, dob from employee where ssn=‘123456789’ and id=‘31042’ 
• select code,name from products where code =‘536’ union select code,name from sales where code > ‘500’

·      Every programming language implements SQL functionality in its own way



SQL Injection Example DB












Remediation

• How do you prevent SQL Injection

 – Input validation
– Using prepared statements
– Stored procedures
 – Escape special characters
 – All of these, or at least more than one

at

No comments:

Post a Comment

Your feedback is highly appreciated and will help us to improve our content.

Subscribe to: Post Comments (Atom)