SQL Injection: How to Prevent it?

Every technological device that employs a user interface. Common devices that public use on daily basis include smartphones, computers and tablets, which all feature Graphical User interfaces, although it may seem that we have always had the ease of use of GUIs, the public only gained access to GUI by the help of Developers where they could use what we called WebGL JS. In this article, we provide an overview of web graphics library

What is SQL injection?

SQL injection is a code injection technique, used to attack data-driven applications in which malicious statements can be inserted into an entry field for executions. SQL injection must exploit a security vulnerability in application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
SQl injection attacks allow attackers to spoof identity, tamper with existing data, cause issues. In 2012 it was observed that the average web application received 4 attack campaigns per month, and retailers received twice as many attack as other industries.

Sql Injection process

SQL injection was considered one of the top 10 web application vulnerabilities of 2007 and 2010 by Open Web Application Security Project (OWASP). This vulnerability allows the hacker to submit crafted input to interfere with the application’s interaction with back-end databases. A hacker may ne able to obtain arbitrary data from application

Types of sql injection

SQL injection attacks are divided into many types including:
  1. Union-Based SQL injection: It is the most popular type of SQL injection. This type of attack uses the UNION statement, which is the integration of two SELECT statements, to obtain data from database
  2. Error-Based SQL injection: An error based SQL injection is the simplest type; but, the only difficulty with this method is that it runs only with MS-SQL Server. In this attack, we cause an application to extract the database
  3. Blind SQL injection: Blind SQL injection is the most hardest type, because in this attack, no error messages are received from database; hence, we extract the data by asking questions to the database. The blind SQL injection is further divided into two kinds one of them is Boolean-based SQL injection and the other is Time-based SQL injection.


After we have SQL injection is a serious risk to your website and your users so how could I prent it?
First you should consider dealing with parameterized statements like:
string sql=”SELECT * FROM users WHERE email = ?”;
string sql=”SELECT * FROM users WHERE email= ‘”+email+”’”
The key difference between two statements above is that in the first case the parameterized string and the parameters are passed to the database separately, which allows sql to correctly execute them but in second case the sql first takes value from email variable then execute the statement which allows easily for the attacker to interpret the data sent to server and send malicious code that’s why we must prevent this case from occur.
Second If you are unable to use parameterized statements, the next approach is to ensure use proper escaping of special characters in input parameters. Because injection attackers often depend on that the attacker is able to insert inputs that will prematurely close the argument string in which they appear in the sql statement.
Programming languages have standard ways to describe strings containing quotes within them and SQL is no different within this rule. Typically doubling up the quote character replacing ‘ with “ this will deal with the quote as a part of the string not the end of string.
Escaping symbol characters is a simple way to protect against most SQL injection attacks, and many languages have standard functions to achieve this, there are couple of drawbacks to this approach, However, you need to be very careful when dealing with escape characters everywhere in your code where SQL statement is constructed, also you should deal with numeric ids in SQL statements

It is very good practice to sanitize your input for your application where you should take care when dealing with GET and POST requests by checking that supplied fields like email fields don’t contain any symbol characters except @ and . , also you should ensure that name field don’t contain any symbols.
Client side validation is useful to give user immediate feedback when filling out a form, but there is no defense against a serious hacker where most hack attempts are performed using scripts rather than the browser itself.

stay safe with Tech4allgeeks
For more blogs you can subscribe in the email box at right or you could follow us on facebook
stay tuned for more, have a nice day 😊
Author Image

About Author
Hisham Elreedy is Digital Electronics Engineer, Graphics Designer, Blogger, Youtuber. Inspired to teach all he knows from his experience in studying undergraduate engineering by creating useful posts

Post a Comment