(805) 389-0229
info@compassconsult.com

Working for a consulting firm I have the experience or getting to play around with a lot of websites created by other people in various programming languages. One thing that concerns me however is the number of them that are open to SQL injection attacks. Wikipedia defines SQL injection as “a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. (via wikipedia.org)”. Confusing? In simpler terms if your site is vulnerable a bad guy can log in with out knowing any log in information make changes, add users, steal information or worse yet drop your database.

You may ask yourself, but how common are these attacks? More then you know. Just recently, 130 million credit card numbers were stolen using a similar attack on 7-Eleven stores (source).

What makes this problem worse is there is no reason why it should be such a big issue. With a little planning and work you can protect your site from these attacks altogether. There are some simply steps that can be taken to avoid the issue:

  • Treat all data captured on your website as dangerous and use techniques to escape or properly encode it.
  • Avoid using dynamic sql statements use stored procedures with parameters instead
  • The account used to connect to your database should have the least amount of privileges necessary to perform its job and should not be your ‘sa’ account

Following these guidelines will help to ensure that your site is going down the right path. More information and links available on the subject available herehttp://en.wikipedia.org/wiki/SQL_injection.

Need your site analyzed or your vulnerabilities fixed? Give us a call today to set up an appointment (805) 389-0229

Source: XKCD

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Let’s Get Started!
close slider