‘Advanced Topics on SQL Injection Protection’

Summary

‘SQL injection is now one of the most common attacks in the Internet. Simply go to Yahoo! or Google and search for ‘SQL injection’ and we can find tones of related documents.
Although the awareness of SQL injection is rising, still many people do not have very concrete ideas on how to prevent SQL injection attack.
This article is not going to tell you what SQL injection is, nor going to tell you the latest techniques in SQL injection attacks, but more important, how to prevent SQL injection correctly and in a more integrated approach.’

Credit:

‘The information has been provided by Sam NG.
The original article can be found at: http://www.owasp.org/index.php/Image:Advanced_Topics_on_SQL_Injection_Protection.ppt


Details

Methods to prevent SQL Injection:
 1. Input Validation – Development Phrase
 2. Static query statement – Development Phrase
 3. Least Privilege – Development Phrase
 4. Code Verification – QA Phrase
 5. Web Application Gateway – Production Phrase
 6. SQL Driver Proxy – Production Phrase
 7. MISC methods

Input Validation
Some programmers may think escaping apostrophe with two apostrophes (and back slash with two back slashes for MySQL) is all input validation has to do.
This is completely WRONG!
A few important steps are missed and probably the program is still vulnerable to SQL injection.

There are at least four steps we have to do for input validation:
 1. Escape apostrophe with two apostrophes (and back slash with two back slashes for MySQL)
 2. Make sure numeric fields really look like numbers
 3. Do step 1′ and 2′ not only on users’ direct input, but on all non-constant variables
 4. Check if the inputs are within your expectation (e.g. 0 < age < 120, login id without space, etc.)

Escape inputs properly:
Escaping apostrophe with two apostrophes (or back slash with two back slashes for MySQL) usually can be done with one line of code.
However, we have to ensure that the decoding is done in the correct order.
To avoid SQL injection properly, the apostrophe-escaped input should NOT be further en/decoded by any other coding scheme.

To read more please download the presentation: http://www.owasp.org/index.php/Image:Advanced_Topics_on_SQL_Injection_Protection.ppt

Categories: Reviews