In order to eliminate the common threat of SQL injection-based attacks for web applications, there are a number of best practices organisations should be following.
The simple "least privilege" principle should be applied. Firstly, privileged access to databases should be kept to an absolute minimum.
Database administration (DBA) access should not be assigned to application accounts. Application testing should start with accounts having the least access rights to the databases, and then working slowly upwards to see the minimum rights that can be assigned for applications to function.
Similarly, you should minimise the privileges of the operating system (OS) accounts that the Database Management System (DBMS) runs under. DBMS should not be given access to system or root access privileges.
As with many current challenges facing our industry, I also believe a whitelist approach is much more effective than the widely-adopted blacklist approach.
Read more about SQL injection attacks
- Security Think Tank: Development and testing key to reducing SQLi attacks
- Security Think Tank: Quick time to market to blame for many SQLi attacks
- Security Think Tank: SQLi attacks fly under security testing radar
- Security Think Tank: SQLi is basically a process problem
- Security Think Tank: No quick fix to SQLi attacks
In this context this applies to validating the input fields in the application by the user and preventing hackers from using the input fields to send unauthorised queries to the database. Historically, this has taken the form of blacklist input validation, where the developer blacklists certain characters or key control phrases from the input fields.
As with all blacklist strategies, this is easily circumvented by the hacker, who simply uses another method not accounted for on the current blacklist. Whitelist validation, by contrast, determines exactly what is allowed into the user input fields, such as name, address, telephone number, etc. This can be done by a logic check for string patterns against the fields on the input pages, but also by best practice of restricting access to input fields by utilising drop-down lists and radio buttons where applicable.
Preventing SQL injection attacks as with many application-based attacks, starts with good coding practices. When coding queries, developers should use parameterised queries. This aims to allow the database to separate actual data used in the query from the code itself, irrespective of the user input. Parameterised queries mean that the developer defines all the SQL code, and passes each parameter to the query later.
Phil Stewart is director of communications ISSA-UK
This was first published in September 2012