SQL Injection Attacks

By Paladion

November 15, 2004

How can I protect my application from SQL Injection attacks?

  1. Check all user inputs for special characters like " ‘ "
  2. Use Database stored procedures
  3. Use parametrized queries instead of dynamic SQL statements
  4. All of the above

The best answer to the quiz is 4) All of the above.

SQL Injection is a type of attack where an attacker crafts his input carefully to mislead the application into executing them as SQL statements. The attack exploits input validation bugs to achieve this. SQL Injection can be defeated at different levels and the three different choices reflect that.

Since SQL Injection is caused by inadequate input validation, strong input validation can thwart these attacks. It is thus a good idea to centralize all input validation and check for special characters like ‘ [single-quote] that could indicate a SQL Injection attack. However, in large applications this is error-prone and attackers could still find a single weak validation to successfully inject SQL.

Database stored procedures are not vulnerable to SQL Injection as they do not use dynamic SQL statements. So if your application has been designed exclusively with stored procedures, you are safe from SQL injection. In practice, it is unlikely that all your database activity relies on stored procedures. That might even be inadvisable in a multi-tier architecture where the business logic is to be separated from the database layer. So this is also a partial solution.

Languages like Java and .Net support parametrized queries that allow the application to invoke prepared statements in the database. These do not use dynamic SQL statements and hence are safe from SQL injection attacks. For instance, CallableStatements and PreparedStatements in Java and ADO CommandObjects in ASP enable parametrized queries that are safe against SQL Injection attacks.

Tags: Quiz