Catallaxy Services | Understanding and Eliminating SQL Injection

Understanding and Eliminating

@feaselkl

An injection attack is when you insert code in a manner the application developers did not expect.

Example: your text box populates @Parameter to do a lookup on a table. An attacker overloads @Parameter to perform some unexpected operation.

Another way of thinking about injection attacks: getting "outside" the parameter.

SQL injection is not the only injection attack available.

By 2006, web application vulnerabilities had become more popular than buffer overflows.
SQL injection (and injection attacks in general) are #1 on the OWASP top 10 list.
2011 Imperva study: 83% of successful data breaches involve SQL injection

Get schema information
Get protected data
Perform "administrative" tasks
- Create bogus user accounts (including administrative accounts)
- Create, drop, or alter tables or views
- Delete, update, or insert data
Run arbitrary executable code

Because of how easy it is to stop SQL injection, your application being susceptible indicates that you may have bigger problems, like:

Using administrative accounts instead of least-privilege accounts
Not protecting against other web application attacks (e.g., cross-site scripting, cross-site request forgery, or iframe injection)
Not having measures in place to protect against data loss
Not taking appropriate care of sensitive data (e.g., not hashing passwords properly, storing card data in violation of PCI standards)

There is one and only one way to protect yourself against SQL injection: parameterize your queries.

To learn how to do this for non-ASP.Net solutions, go to http://bobby-tables.com.

Catallaxy Services consulting:
https://CSmore.info/on/contact