How to prevent sql injection?. Recently, cybercrime has increased. Of the various forms of threats that exist, SQL injection is one form of attack on web applications that is often found.
In fact, according to research by the OWASP software security organization, SQL injection is the third biggest security risk in web applications.
This type of attack incurs a lot of damage due to the destruction of the website or application database. To know more about what SQL injection is and how to avoid it.
What is SQL Injection?
SQL stands for Structured Query Language, which means the standard language used to access and manipulate things in the form of a database.
SQL is use to manage database systems, is like SQL server or Oracle. For the use of SQL almost everything is similar in the database system.
After discussing the meaning of SQL, then move on to the definition of SQL Injection. SQL Injection or often called SQLi is a code for injection technique that is used to attack security vulnerabilities in a data-based application.
The loophole occurs where when inputting from a user is not filter properly. Over time since the 1990s, SQL Injection has grown and is then has been use by certain parties to inject strings which are sequences of characters in query programming to existing databases.
For example, if the column for username, which should be fill with alphabets or numbers, is filled with characters or punctuation marks such as periods, commas, underlines, things like that.
Due to these various things, causing attackers to use this vulnerability by entering queries from SQL. SQL Injection is a technique that has always been the favorite attacker for most hackers.
Due to the increasing difficulty, hackers carry out tracking and attacks through networks caused by the increasingly sophisticated protection system of the target.
How it Works?
Until now, SQL injection is still a favorite technique used by hackers to hack web or applications. This is because basically, the way SQL injection works is quite simple. Namely by abusing security holes at the database layer.
SQL injection can occur due to a security vulnerability. This gap was form because the developers did not activate the filter for meta characters on the input form in the application.
Therefore that hackers could finally use it to write SQL commands in the login/input form. In short, this technique is execute through the username form.
The username form should only be filled in using characters, but the form can be filled with other characters. That way, hackers can embed SQL control characters such as (:;-,=’) and command keywords that can damage the database structure.
As a result, the hacker was able to enter SQL injection queries and the website was successfully been hack.
How to Prevent SQL Injection?
In order to prevent and reduce the effects and impacts of attacks caused by SQL Injection, preventive measures can be taken, including:
1. Limit Input Box
In order to further tighten the security of the system in each box is limit to the number of characters. For example, for filling in the name, at least give 30 characters or more.
Adjust to the needs so as to minimize the incoming SQL Injection attack attempts will be constraint and prevent by the number of characters available.
2. Customize the Input Box
If the purpose of the form for the input box is to write a name, then it is given specifically for letters only. To fill in the telephone number column, it is enough to just fill in numbering or numbers.
So that SQL Injection attacks can be avoid so that it doesn’t happen.
3. Turn off Error Handling
If an error message occurs, it is necessary to take offline action or turn off the error message notification feature that comes out of the SQL server.
If, until there is an error message, this could be an opportunity for hackers to do deep exploitation of SQL Injection experiments.
When a web server experiences a processing error. It should respond with a generic web page, or it can redirect the user to a standard location.
Debug information or other details, should not be expose or disclose because it can give attackers a chance. Application servers, often installed with error messages or after debugging is enable by default.
So that the attacker looks at the documented application server to see the hidden error messages.
4. Filter Users
Performs a filter on each user’s input, especially those using single-quoted characters (‘) or validation input. Because this can be one of the tricks hackers do for SQL Injection.
5. Privilege Settings
Make changes to the ‘startup and run SQL Server’ part with the low privilege user settings available on the SQL Server Security Tab menu.
Of all the prevention methods that have been describe, the important point is learning SQL is very important to deal with attacks from SQL Injection.
However, as you know, there are now quite a number of automated attack tools to perform SQL Injection. This is an important point that must always be studied and understood.
Especially for administrators or web programmers.
6. Disable SQL Standard Features
Standard features in SQL applications, such as Stored Procedures or Extended Stored Procedures, would be better to disable. Because these features are vulnerable to attacks from SQL Injection.
7. Data Input Validation
Input validation is generally divided into two methods, namely whitelisting and blacklisting.
- Whitelisting – This is a data filtering method by only accepting input data that has been confirmed to be safe. Data input that is outside the whitelist will be automatically rejected.
- Blacklisting – This is the opposite of whitelisting, which only rejects data input that is known to be bad or dangerous, such as certain characters (&, ;, `, ‘, \, “, |, *, ?, ~, <, >, ^ , (, ), [, ], {, }, $, \n, and \r).
You can apply either one or both at once to filter the data that your website can process.
8. Using Parameterized SQL Query
The use of parameterized queries or prepared statements is a simple technique that is fairly easy to prevent SQL injection.
The purpose of this method is to distinguish between SQL queries and user input data. A simple example is with the following code:
Code :
PreparedStatement statement = connection.prepareStatement("SELECT * FROM products WHERE category = ?");
statement.setString(1, input);
ResultSet resultSet = statement.executeQuery();
The code above makes the SELECT and WHERE query commands read as plain data.
So, even if the attacker writes a query command in the input box, the query will not be able to change the query structure of your website/application.
9. Using SQL Escape String
You can use SQL Escape String to prevent malicious SQL queries from entering the website database.
SQL Escape String itself is a series of code that functions to add escape characters, namely changing one character that is considered dangerous (‘) into another character (\’). For example, SQL injection becomes SQL injection\’tion.
$kar = “SQL injec’tion”;
$filter = mySQL_escape_string($kar);
echo”Result filter : $filter”;
The above code will change the character (‘) and show the message Filter result: SQL injection\’tion. That way, the SQL query entered will not be read as a malicious command.
Conclusion
Simply put, SQL Injection is an attack on a web application, not a web server or the operating system itself. SQL Injection is the act of adding an unnecessary SQL command to a query. Thus manipulating the database in a way that the admin or database developer does not want.
Because if successful in carrying out an attack, data can be retrieve, edited and modified and even delete from the database server used by the web application.
Worse, in certain circumstances, SQL Injection can be use to take full control of a system.