SQL Injection

What is SQL Injection?

SQL Injection occurs when a web application allows for malicious SQL commands. Not only is it possible for these attacks to destroy data, but it also allows for a malicious attacker to exfiltrate data through those SQL commands. This is particularly dangerous for public facing web applications with SQL interfaces that allow for easily modified inputs such as GET or POST requests. SQL injection works on SQL interpreters that take unsanitized outside input since the attacker has control over the input and can pass dangerous commands, such as dropping tables or printing passwords.

 

How to Mitigate

API with Parameterized Statements

Switching from taking direct input in a web app to using a safe API is probably the safest way to deal with SQL injection. This will usually avoid calling upon the SQL interpreter and will instead use premade calls instead. Creating a parameterized API is the best method for mitigating SQL injection attacks.

 

Character Escaping

If an API is not available, your web applications should be able to escape special characters. This should be considered a last line of defense, since character escaping is not 100% bulletproof. Each interpreter has a different method for performing character escapes, as linked below:

Alternatively, the web application itself can attempt to escape queries, but depending on how requests are handled, it becomes even more difficult to escape. The best way to defend against injection remains parametrized API calls, since it operates on the principle of white-, not black-listing commands and calls.

 

Further Reading

OWASP SQL Injection Prevention Cheat Sheet

SANS on SQL Injection

Bobby-Tables: Code Examples of Parameterized Inputs