Hi,
Please find the Definition for SQL Injection below
What is SQL Injection?
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
“SQL Injection” is subset of the unverified/unsanitized user input vulnerability (”buffer overflows” are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it’s straightforward to create some real surprises.
Types of SQL Injections:
There are four main categories of SQL Injection attacks against databases layer in Web Application
1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results.
2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported.
3. Function Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database.
4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched
SQL Injection Prevention Techniques:
Mitigation of SQL injection vulnerability would be taking one of the two paths i.e. either using stored procedures along with callable statements or using prepared statements with dynamic SQL commands. Whichever way is adopted the data validation is must.
a. Input validation
Data sanitization is key. Best way to sanitize data is to use default deny, regular expression. Write specific filters. As far as possible use numbers, numbers and letters. If there is a need to include punctuation marks of any kind, convert them by HTML encoding them. SO that ” become “”" or > becomes “>” For instance if the user is submitting the E-mail address allow only @, -, . And _ in addition to numbers and letters to be used and only after they have been converted to their HTML substitutes
b. Use of prepared statement
The prepared statements should be used when the stored procedures cannot be used for whatever reason and dynamic SQL commands have to be used.
Use a Prepared Statement to send precompiled SQL statements with one or more parameters. Parameter place holders in a prepared statement are represented by the? And are called bind variables. Prepared statement are generally immune to SQL Injection attacks as the database will use the value of the bind variable exclusively and not interpret the contents of the variable in any way. PL/SQL and JDBC allow for prepared statements. Prepared statements should be extensively used for both security and performance reasons.
c. Use minimum privileges
Make sure that application user has specific bare minimum rights on the database server. If the application user on the database uses ROOT/SA/dbadmin/dbo on the database then; it surely needs to be reconsidered if application user really needs such high amount of privileges or can they be reduced. Do not give the application user permission to access system stored procedures allow access to the ones that are user created.
d. Stored procedures
To secure an application against SQL injection, developers must never allow client-supplied data to modify the syntax of SQL statements. In fact, the best protection is to isolate the web application from SQL altogether. All SQL statements required by the application should be in stored procedures and kept on the database server. The application should execute the stored procedures using a safe interface such as Callable statements of JDBC or CommandObject of ADO.
Regards
Vijay.R