The Web Doctor

Brian Platz
The Web Doctor
Salem, Oregon
(503) 373-4728
(503) 373-9848 (Fax)


SERVICES: SQL INJECTION / CROSS-SIDE SCRIPTING


The Web Doctor is a computer consulting company offering full service consulting on information technology and its application to business solutions. Our primary business model focuses on database design, custom software development, IT consulting, and all aspects of web services and web site design.

SQL injection, a very common form of attack of websites everywhere, is becoming ever more prevalent. While it is a well-known risk in web application development, it can be difficult to combat because most preventative measures are prone to human error.

Wikipedia says SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

SQL injection attacks lets malicious code, enter into strings that are later passed to an instance of Databases for parsing and execution, be executed; THIS IS BAD. The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

There is a possible SQL injection attack when the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. An SQL query is a request for some action to be performed on a database. Typically, on a Web form developed the user needs authentication, when a their name and password are entered into the text boxes provided for them and those values entered are inserted into a SELECT query. If the values entered are found as expected, the user is allowed access; if they aren't found, access is denied. However, most Web forms have no mechanisms in place to block input other than names and passwords. Unless such precautions are taken, an attacker can use the input boxes to send their own request to the database to carry out SQL injection, which could allow them to download the entire database or interact with it illegally and thereby it is threat on data security.

SQL injection attack "injects" or manipulates SQL code. Unexpected SQL to a query are added which makes it possible to manipulate a database not ever imagined by a database administrator.

The risk of SQL injection attacks is on the rise because of automated tools. Earlier it was dealt manually to insert SQL statements. It is believed to be a technology released with the ability to pick up a freeware tool, point it at a Web site and automatically download a database without any knowledge whatsoever. This makes things a lot more critical and severe and constant check is required to be done to protect data security and the entire database.

According to security experts, the reason that SQL injection such as cross-site scripting, are possible is that security is not taken into consideration while the development is on its way. To protect the integrity of Web sites and applications and for SQL injection protection, experts recommend simple precautions during development such as controlling the types and numbers of characters accepted by input boxes. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. It is a challenge for the database administrators and the developers to find a way out to prevent SQL injection attacks.


Contact The Web Doctor Today. We offer a FREE Initial Consultation. Lets Discuss Your Ideas.

   
       
Chapter Tool Manages ALL Letip Chapters Data A Proud Member of Networks of Salem