banner image

SQL injection

attack, definition, errors, exploit, exploits, fatal, hacker, help, introduction, PHP, prevention, queries, query, security, Select, sql, Sql injection, vulnerability, web development, website development,
SQL injection is a type of security exploit/vulnerability in which the attacker submits a SQL code to a Web form input box exposing the back-end database to gain access to resources or make changes to data. SQL injection allows an attacker to create, read, update, alter or delete data stored in the back-end database. A SQL injection attack can occur when a web application utilizes user-supplied data without proper validation or encoding as part of a command or query.

Typically, on a Web form for user authentication, when a user enters their name and password into the text boxes provided for them, those values are inserted into a SELECT query as it is. If the values entered are found as expected, the user is allowed access; if they aren't found, access is denied. However, most Web forms have no mechanisms in place to block input other than names and passwords. Unless such precautions are taken, an attacker can use the input boxes to send their own request to the database, which could allow them to download the entire database or interact with it in other illicit ways.

You can prevent SQL injection if you adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type and syntax and also against business rules. Most of the languages provide support for prevention of sql injection by the use of prepared statements/queries which checks the parameters to be used in the query for sql injection. Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures. Show care when using stored procedures since they are generally safe from injection. However, be careful as they can be injectable (such as via the use of exec() or concatenating arguments within the stored procedure). 
SQL injection SQL injection Reviewed by Zain Aftab on 03:56 Rating: 5

No comments:

Powered by Blogger.