Defending Against SQL Injection Attacks
by MrBr - November 17, 2019 at 04:48 AM
#1
SQL injection attacks work by placing malicious code in SQL statements via web page input.  They are one of of the most common web hacking methods and a code injection technique that might destroy your database. In this article we will discuss different ways of defending against SQL injection attacks as I learn them.
Character Filtering

SQL is one of the easiest ways of defending yourself against injection attacks and we can provide protection by filtering the characters in the system. As you know, mostly Sql injection attack methods use characters such as single quotes (') and filtering these characters will partially protect our system. By filtering, we can provide protection by converting one nail into double nails. The code below will work.
<% Function SQLSecurity(ReplaceQuotes) SQLSecurity = Replace(ReplaceQuotes ,"'",""") End Function %>

You can make similar changes on the code by playing around with this method.
Limit Record Lengths

It is infinitely preferable that your site edit text entries according to the length of space allocated to your database. For example, if a maximum of 15 characters are entered in an entry field, no excess characters should be allowed in the field, this is a sensible precaution to take against SQL injection attacks.
Check Record Types

Check the types of data entered in a form that you have prepared. For example, a different type of input can be provided while the corresponding form must be entered. Such a check can be solved by writing simple codes for robustness.
Limit Authorizations

If possible, it would be an advantage for you to connect to the database with restricted privileges, rather than through connection administrator rights. This acts as a useful backstop in case your system falls prey to an injection attack, the attacker will not be able to do much without admin privileges buying you time to remediate.
Use A Whitelist

Everyone recommends setting up the blacklist but an attacker can override the blacklist you set up by modifying combinations. But if you set the whitelist logically, so you can avoid the bad codes and white list the good code to work.
Use GreenSQL

GreenSQL is an (open source and GPL license) DB Firewall application that protects the database against SQL injection attacks, it works with proxy logic and has MySQL compatibility.

GreenSQL analyzes the commands sent by the client, and then sends them to MySQL. It prevents filtering of commands that are not visible and that are not added to whitelist.

That's it for now! these are all that I have read about and researched. This article will be updated in the future as I learn about more defense techniques.


Good luck.
Reply
#2
very useful advice for the stage im in right now - thank you kind user Smile
This forum account is currently banned. Ban Length: Permanent (N/A).
Ban Reason: Mass Leeching.
Reply
#3
Thanks. This is a good read.
Reply
#4
very useful, Thanks for it.
Reply
#5
thanks for sharing this guide.
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
Hacking | SQL Injection Mastercourse etirpse 422 38,423 Yesterday at 05:39 PM
Last Post: halazarrick1004
Hacking | SQL Injection Mastercourse [RE-UP] K1D 2 969 September 10, 2021 at 12:12 PM
Last Post: kartel_deep
[MEGA] Full Length SQL Injection E-Book + Programming Textbooks (pdf) poopballsmustard 9 1,829 September 03, 2021 at 05:06 PM
Last Post: kiddohacker

 Users browsing this thread: 1 Guest(s)