In recent years, SQL injection attacks have plagued a large number of enterprises and have become a nightmare for enterprises. Since middle August, a new round of large-scale SQL injection attacks have swept a large number of websites, and even Apple's websites have not been spared. This type of rampant attack shows the increasing popularity of the industry. hackers are also increasingly fond of this type of attack that can penetrate into the enterprise's infrastructure and database resources.
There have been a lot of discussions about how to deal with SQL injection attacks, but why are there a large number of websites constantly suffering from these attacks? Security researchers believe that it is time to reorganize the best method to deal with large-scale SQL injection attacks, so as to reduce the risks associated with injection attacks. The methods described here may not be revolutionary, but how many enterprises implement these methods in an all-round way as required?
Next, we will talk about these methods one by one:
Use parameterized Query
Enterprises should develop and strengthen their own development software security coding guidelines, requiring developers to use parameterized queries to build SQL queries so that data can be distinguished from code.
For most SQL queries, developers need to specify certain standards. Therefore, parameterized queries are required, which are actually parameters that can be passed at runtime. Parameterized query is a query that contains one or more embedded parameters in an SQL statement. This method of embedding parameters in SQL statements is not prone to errors compared to dynamically constructing SQL strings. The following shows an example of using parameterized query in A. NET application. Suppose we want to increase the salary of Michael to 500 yuan, refer to the following code. These code examples demonstrate the use of parameterized queries and how to use update statements:
You can use SQL update commands to update records. In the preceding example, we performed the following operations: Create and open a database link, create a database command that represents executing the update statement, and run the INSERT command using the ExecuteNonQuery () method of EDBCommand.
Each parameter is specified by an EDBParameter object. For each parameter that needs to be specified in an SQL statement, you need to create an EDBParameter object and assign the value to this object. Then, add the EDBParameter object to the parameter set of the EDBCommand command.
For most development platforms, parameterized statements should be used instead of embedding user input into statements. In many cases, SQL statements are fixed. Each parameter is a scalar, not a table. User input is assigned to a parameter. The following is an example of using Java and JDBC APIs:
PreparedStatement prep = conn. prepareStatement ("SELECT * from users where username =? And password =? ");
Prep. setString (1, username );
Prep. setString (2, password );
Prep.exe cuteQuery ();
I use these examples to tell developers that the input should be purified before the database is queried. Ensure that the content you enter into the website is the data type you are looking for. Therefore, if you are looking for a number, you must ensure that the input must be a number rather than a character.
Implement filtering and monitoring tools
Horizontal Filtering and monitoring tools for Web applications and databases can help block attacks and detect attack behaviors, thus reducing the risk of exposure to large-scale SQL injection attacks.
At the application level, enterprises should implement runtime security monitoring to defend against SQL injection attacks and vulnerabilities in production systems. Similarly, Web Application Firewall helps enterprises deploy certain behavior-based rule sets to prevent attacks before any damages occur.
At the database level, database activity monitoring can also filter attacks from the background. Database monitoring is a powerful tool for dealing with SQL injection. For injection attacks that are currently known, you should deploy filters to warn the database administrator that they are experiencing unsafe problems and some general filters, it is used to find typical tricks in SQL injection attacks, such as cracking irregular numeric references of SQL code.
Carefully compile error messages
Hackers can use your error messages to deal with you in the future. Therefore, developers and database administrators must consider the error messages that should be returned when users enter unexpected "data.
Enterprises should configure Web servers and database servers so that they do not output error or warning messages. Attackers can use "blind SQL Injection" and other technologies to understand your database design details.
Patch and strengthen data in a timely manner
Because no patches or configuration errors are installed, the database associated with the Web application is attacked, and the risks associated with the SQL injection attacks are also increased.
Obviously, as long as a patch is available, you need to patch the database and patch Web applications and Web services.
In addition, don't forget how your database is configured. You need to disable unnecessary services and functions to strengthen the database and the operating system on which it depends.
Restrict database privileges
Finally, enterprises need to better manage the ways in which accounts related to Web applications interact with backend databases. Many problems occur because the database administrator has opened up some accounts to make it easier for developers to work. However, these super user accounts are vulnerable to attacks, which greatly increases the risks caused by SQL injection attacks and other Web attacks to the database.
You must manage all your accounts correctly so that they can only access the back-end database with the lowest privilege. Of course, the premise is that they can complete their work. You must ensure that these accounts do not have the right to make changes to the database.