Three major measures minimize the harm of SQL injection attacks

Any application that uses user-provided data for database query is a potential target of SQL injection attacks. Database Administrators may not be able to completely block SQL injection attacks against their database servers. However, administrators and application developers can do something to minimize the impact of these attacks. So

What can a database administrator do?

Do not place databases and Web servers on the same computer.

Use a firewall or an unroutable IP address to block Internet access to the database. Once configured, data packets from the database server cannot be forwarded to the Internet. You need to add a route on the Web server to find the database server.

Configure trusted IP Access and access (for example, IPSEC) to control which machines can communicate with the database server.

Remove all sample scripts and applications from the database server.

Use a dedicated low-privilege account for the database connection account of each application. Do not use sa, dba, or admin.

Do not allow users or applications to directly access database tables. To use an application role that has limited access to the database. If the application only needs to read access, the database must be read-only.

Remove unused stored procedures from the production database.

Only access to the application is authorized to the stored procedure created by the user.

Do not authorize "_ ANY _" of the application to operating system commands or system stored procedures.

What can the Application Designer do?

Program designers shoulder the important responsibilities of ensuring the security of Web applications. Enhancing security auditing in the design and coding stages is the key to eliminating program vulnerabilities. Generally, programmers should at least implement the following measures:

The specific common error message to be generated by the application. During an SQL injection attack, attackers can obtain valuable information, such as the names of tables and columns, through the default error messages generated by the database.

Verify the validity of user input before submitting user service input to the database. Only Accept the expected user input and limit its length. NOTE: If possible, use the whitelist to check all user input. The Application Server firewall can be used to check all inputs and accept only those that meet the criteria.

During program development, Web application scanning tools are used to detect vulnerabilities in the code.

Isolate Web applications from SQL databases and place all SQL statements required by applications on database servers.

Use static queries. If you need dynamic query, use the prepared statement.

Use a secure interface, such as the ADO Command Object, to execute the stored procedure for the application.

Detect SQL Injection Vulnerabilities and attacks

It is not easy to detect vulnerable applications because these vulnerabilities may exist in any user-oriented application interface. Although not all SQL injection attacks are easy to detect, database administrators or developers can do the following:

Read Web server logs. Sometimes, SQL injection attacks can be easily discovered in these logs, because there are much more login projects written to logs than normal.

Search for HTTP 404 and HTTP 500 Error Log items, and other error log items generated by the program to check user input.

Use the Web application scanning tool. These tools can be used to warn the database administrator about where the administrator application is vulnerable to SQL injection attacks.

Before deploying an application, it is critical to check the SQL Injection Factors.

In short, a robust solution to defend against SQL injection attacks should be checked in multiple aspects of development, deployment, management, and maintenance, security management personnel must constantly pay attention to the latest trend of SQL injection and adopt practical tools to minimize program vulnerabilities.