‘Advanced Topics on SQL Injection Protection’
‘SQL injection is now one of the most common attacks in the Internet. Simply go to Yahoo! or Google and search for ‘SQL injection’ and we can find tones of related documents.
Although the awareness of SQL injection is rising, still many people do not have very concrete ideas on how to prevent SQL injection attack.
‘The information has been provided by Sam NG.
The original article can be found at: http://www.owasp.org/index.php/Image:Advanced_Topics_on_SQL_Injection_Protection.ppt‘
‘Methods to prevent SQL Injection:
1. Input Validation – Development Phrase
2. Static query statement – Development Phrase
3. Least Privilege – Development Phrase
4. Code Verification – QA Phrase
5. Web Application Gateway – Production Phrase
6. SQL Driver Proxy – Production Phrase
7. MISC methods
Some programmers may think escaping apostrophe with two apostrophes (and back slash with two back slashes for MySQL) is all input validation has to do.
This is completely WRONG!
A few important steps are missed and probably the program is still vulnerable to SQL injection.
There are at least four steps we have to do for input validation:
1. Escape apostrophe with two apostrophes (and back slash with two back slashes for MySQL)
2. Make sure numeric fields really look like numbers
3. Do step 1′ and 2′ not only on users’ direct input, but on all non-constant variables
4. Check if the inputs are within your expectation (e.g. 0 < age < 120, login id without space, etc.)
Escape inputs properly:
Escaping apostrophe with two apostrophes (or back slash with two back slashes for MySQL) usually can be done with one line of code.
However, we have to ensure that the decoding is done in the correct order.
To avoid SQL injection properly, the apostrophe-escaped input should NOT be further en/decoded by any other coding scheme.
To read more please download the presentation: http://www.owasp.org/index.php/Image:Advanced_Topics_on_SQL_Injection_Protection.ppt‘