EndPoint Package (anti-virus software) - General Information About SQL Injection Attacks

Navigation

Select a link below to jump to that section:

Overview

This document is to provide a basic summary of the vulnerability to SQL injection attacks and provide some suggestions for minimizing the threat of these attacks.

Back to Top

Background

Due to the power and nature of the SQL syntax SQL Injection Attack is possible. SQL syntax allows for multiple SQL operations to be embedded into a single SQL call.

A SQL Injection Attack is when an attacker inserts code into a dynamically generated SQL string. Methods of insertion may include: putting code in an entry field, adding code as part of the ‘href’ statement on the ‘address’ line of the web browser (if using a redirect and passing data as a parameter). The characters in the code allow SQL statements that override or alter the original SQL call. This allows information to be accessed and acted upon. It may also allow Operating System commands to be executed.

Back to Top

Steps to Take to Mitigate SQL Injection Attacks

  1. Back up your data. This will allow for recovery if your data is attacked.
  2. Enable logging on both SQL & Web server. This will allow you to trace activities in case your site or database is cracked.
  3. Use current software with latest enhancements. This minimizes your exposure to known vulnerabilities.
  4. Limit the permissions that the Web users have. This reduces the window of vulnerability for attack.
  5. Pass information between forms in session variables, instead of as parameters.
  6. Check incoming or input information. In particular, check for special characters or words like ‘SELECT’, ‘UPDATE’, ‘DELETE’, ‘EXEC’, ‘INSERT’, ‘ODBC’, etc. Identify allowable characters and restrict entry to only those characters (i.e. numeric digits only for a numeric value).
  7. Compartmentalize code. Keep error checking on pages that are not displayed.
  8. Hash or encrypt sensitive data (such as ids, passwords and social security numbers) that is being stored.
  9. Change the administrator account from ‘Admin’ to an alternate name (however, it is not possible to change or remove ‘sa’ account in Microsoft SQL Server).
  10. Use non-identifying names for tables and fields (especially for the table containing ids and passwords). Add false tables with invalid ids and passwords (but obvious names) as decoys for possible hackers.
  11. Set up applications to perform periodic scans of log files and notify managers by email in case probable attacks are found.
  12. Explicitly handle runtime exceptions where ever possible. Make messages helpful to user without giving information away to hackers.

Back to Top

Additional Information

These websites have additional information about SQL injection attacks:

Back to Top

Print Article

Related Services / Offerings (1)

MSU IT provides endpoint protection software for MSU workstations, laptops, and servers at no additional cost to all departments and business units at MSU.