SQL Injection
What Does Sql Injection Mean
• First, there is a software defect
• That defect results in a security
vulnerability (or just vulnerability)
•
A vulnerability is a weakness for certain types of attacks on the security of
the application
•
One of the possible attack types is an SQL Injection
• So, if you have a vulnerability that
permits SQL Injection attacks, you have an SQL Injection vulnerability
•
Why are we talking about this before we know more about security?
The SQL Injection Attack
• SQL is “Structured Query Language” •
It is a standardized language for accessing databases
• Examples
• select name from employee where
ssn=‘123456789’
•
select name, ssn, dob from employee where ssn=‘123456789’ and id=‘31042’
•
select code,name from products where code =‘536’ union select code,name from
sales where code > ‘500’
· Every programming language implements SQL functionality in its
own way
SQL Injection Example DB
Remediation
• How do you prevent
SQL Injection
– Input validation
– Using prepared
statements
– Stored procedures
– Escape special characters
– All of these, or at least more than one
No comments:
Post a Comment
Your feedback is highly appreciated and will help us to improve our content.