SlideShare a Scribd company logo

Sql security

Download as PPT, PDF
Safwan Hashmi
Safwan Hashmi

This document discusses database security and SQL injection attacks. It begins with an overview of access control in SQL and views before discussing SQL injection attacks in more detail. The key points are that SQL injection attacks involve inserting malicious SQL statements into user input fields to exploit applications that directly insert user input into SQL queries. Examples are given of how attacks can read or delete entire databases. The best defenses include using prepared statements with bound parameters and validating/sanitizing all user input.

Education
1 of 26
+ Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security  At 9:10, you’ll have 15 minutes to do on- line student ratings Office hours today: 10:30-12:30 Offce hours next week: M/W/F 10:30-12:30
+ Security: Access Control, SQL Injection Attacks Based upon slides from: classes.soe.ucsc.edu/.../SQL%20Injection%20Attacks.ppt homes.cs.washington.edu/~suciu/current-trends.ppt www.cse.iitb.ac.in/dbms/Data/.../DBSecurity-Overview.ppt
+ Data Security Protection from malicious attempts to steal (view) or modify data. The science and study of methods of protecting data (...) from unauthorized disclosure and modification Data Security = Confidentiality + Integrity
+ 4 Traditional Data Security Security in statistical databases = Theory  http://en.wikipedia.org/wiki/Statistical_database  In a statistical database, it is often desired to allow query access only to aggregate data, not individual records. Securing such a database is a difficult problem, since intelligent users can use a combination of aggregate queries to derive information about a single individual. Security in SQL = Access control + Views
+ 5 Access Control in SQL GRANT privileges ON object TO users [WITH GRANT OPTIONS] GRANT privileges ON object TO users [WITH GRANT OPTIONS] privileges = SELECT | INSERT | DELETE | . . . object = table | attribute REVOKE privileges ON object FROM users [CASCADE ] REVOKE privileges ON object FROM users [CASCADE ] [Griffith&Wade'76, Fagin'78]
+ Access Control in MySQL  http://dev.mysql.com/doc/refman/5.0/en/privilege-system.html  The primary function of the MySQL privilege system is to authenticate a user who connects from a given host and to associate that user with privileges on a database such as SELECT, INSERT, UPDATE, and DELETE  There are some things that you cannot do with the MySQL privilege system:  You cannot explicitly specify that a given user should be denied access. That is, you cannot explicitly match a user and then refuse the connection.  You cannot specify that a user has privileges to create or drop tables in a database but not to create or drop the database itself.  A password applies globally to an account.You cannot associate a password with a specific object such as a database, table, or routine.
+ 7 Views in SQL A SQL View = (almost) any SQL query  Typically used as: GRANT SELECT ON pmpStudents TO DavidRispoliGRANT SELECT ON pmpStudents TO DavidRispoli CREATE VIEW pmpStudents AS SELECT * FROM Students WHERE… CREATE VIEW pmpStudents AS SELECT * FROM Students WHERE…
+ Views in MySQL  http://dev.mysql.com/doc/refman/5.0/en/create-view.html  CREATE [OR REPLACE] [ALGORITHM = {UNDEFINED | MERGE | TEMPTABLE}] [DEFINER = { user | CURRENT_USER }] [SQL SECURITY { DEFINER | INVOKER }] VIEW view_name [(column_list)] AS select_statement [WITH [CASCADED | LOCAL] CHECK OPTION]  The DEFINER and SQL SECURITY clauses determine which MySQL account to use when checking access privileges for the view when a statement is executed that references the view.
+ 9 Summary of SQL Security Limitations:  Often no row level access control  Note: DB specific – fine-grained access control is an active area of improvement  Table creator owns the data (not always fair) … or spectacular failure:  Only ~30% assign privileges to users/roles  And then to protect entire tables, not columns Access control = great success story of the DB community...
+ MySQL security  http://dev.mysql.com/doc/refman/5.0/en/security.html Many aspects:  General factors that affect security.These include choosing good passwords, not granting unnecessary privileges to users, ensuring application security by preventing SQL injections and data corruption, and others. See Section 6.1,“General Security Issues”.  Security of the installation itself.The data files, log files, and the all the application files of your installation should be protected to ensure that they are not readable or writable by unauthorized parties. For more information, see Section 2.18,“Postinstallation Setup and Testing”.
+ MySQL security  Access control and security within the database system itself, including the users and databases granted with access to the databases, views and stored programs in use within the database. For more information, see Section 6.2,“The MySQL Access Privilege System”, and Section 6.3,“MySQL User Account Management”.  Network security of MySQL and your system.The security is related to the grants for individual users, but you may also wish to restrict MySQL so that it is available only locally on the MySQL server host, or to a limited set of other hosts.  Ensure that you have adequate and appropriate backups of your database files, configuration and log files. Also be sure that you have a recovery solution in place and test that you are able to successfully recover the information from your backups. See Chapter 7, Backup and Recovery.
+ SQL Injection Attacks
+ http://www.circleid.com/posts/20130325_sql_injection _in_the_wild/
+ What is a SQL Injection Attack? Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example:  SELECT productdata FROM table WHERE productname = ‘user input product name’; A SQL injection attack involves placing SQL statements in the user input
+ SQL Injection Attacks on the rise  https://www.net-security.org/secworld.php?id=13313  “Many, many sites have lost customer data in this way,” said Chris Hinkley, Senior Security Engineer at FireHost.“SQL Injection attacks are often automated and many website owners may be blissfully unaware that their data could actively be at risk.These attacks can be detected and businesses should be taking basic and blanket steps to block attempted SQL Injection, as well as the other types of attacks we frequently see.”
+ 2012 News of SQL attacks  http://www.mysqlperformanceblog.com/2012/07/18/sql-injection- still-a-problem/  An SQL injection vulnerability resulted in an urgent June bugfix release of Ruby on Rails 3.x.  Yahoo! Voices was hacked in July. The attack acquired 453,000 user email addresses and passwords. The perpetrators claimed to have used union-based SQL injection to break in.  LinkedIn.com leaked 6.5 million user credentials in June. A class action lawsuit alleges that the attack was accomplished with SQL injection.  SQL injection was documented as a security threat in 1998, but new incidents still occur every month. Making honest mistakes, developers fail to defend against this means of attack, and the security of online data is at risk for all of us because of it.
+ Some good sites to learn more Prevention guide (with sample code in many languages): http://bobby-tables.com/ Tutorials: (webinar) http://www.percona.com/webinars/2012-07-25-sql-injection-myths-and- fallacies http://www.netrostar.com/SQL-Injection-Attack http://www.unixwiz.net/techtips/sql-injection.html Cool site that let’s you try out attacks on a sample DB and explains why they work http://sqlzoo.net/hack/ Research paper on how to retrofit existing websites to combat SQL injection attacks http://lersse-dl.ece.ubc.ca/record/205/files/paper.pdf
+ An Example SQL Injection Attack Product Search:  This input is put directly into the SQL statement within the Web application:  $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” . $_POST[‘prod_search’] . “’”;  Creates the following SQL:  SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ = ‘x’  Attacker has now successfully caused the entire database to be returned. blah‘ OR ‘x’ = ‘x
+ A More Malicious Example  What if the attacker had instead entered:  blah‘; DROP TABLE prodinfo; --  Results in the following SQL:  SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP TABLE prodinfo; --’  Note how comment (--) consumes the final quote  Causes the entire database to be deleted  Depends on knowledge of table name  This is sometimes exposed to the user in debug code called during a database error  Use non-obvious table names, and never expose them to user  Usually data destruction is not your worst fear, as there is low economic motivation
+ Other injection possibilities Using SQL injections, attackers can:  Add new data to the database  Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site  Perform an INSERT in the injected SQL  Modify data currently in the database  Could be very costly to have an expensive item suddenly be deeply ‘discounted’  Perform an UPDATE in the injected SQL  Often can gain access to other user’s system capabilities by obtaining their password
+ Best defence If possible, use bound variables with prepared statements  Many libraries allow you to bind inputs to variables inside a SQL statement  PERL example (from http://www.unixwiz.net/techtips/sql- injection.html) $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); See http://bobby-tables.com for example code in many languages
+ How does this prevent an attack?  The SQL statement you pass to prepare is parsed and compiled by the database server.  By specifying parameters (either a ? or a named parameter like :name) you tell the database engine what to filter on.  Then when you call execute the prepared statement is combined with the parameter values you specify.  It works because the parameter values are combined with the compiled statement, not a SQL string.  SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters you limit the risk of ending up with something you didn't intend.
+ Other Defenses Use provided functions for escaping strings  Many attacks can be thwarted by simply using the SQL string escaping mechanism  ‘  ’ and “  ”  mysql_real_escape_string() is the preferred function for this Will not guard against all attacks  Consider:  SELECT fields FROM table WHERE id = 23 OR 1=1  No quotes here!
+ More Defenses Check syntax of input for validity  Many classes of input have fixed languages  Email addresses, dates, part numbers, etc.  Verify that the input is a valid string in the language  Some languages allow problematic characters (e.g., ‘*’ in email); may decide to not allow these  Exclude quotes and semicolons  Not always possible: consider the name Bill O’Reilly  Want to allow the use of single quotes in names Have length limits on input  Many SQL injection attacks depend on entering long strings
+ Even More Defenses Scan query string for undesirable word combinations that indicate SQL statements  INSERT, DROP, etc.  If you see these, can check against SQL syntax to see if they represent a statement or valid user input Limit database permissions and segregate users  If you’re only reading the database, connect to database as a user that only has read permissions  Never connect as a database administrator in your web application
+ AndYet More Defenses  Configure database error reporting  Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.)  Configure so that this information is never exposed to a user

Recommended

SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
Vortana Say
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
6502programmer
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Raghav Bisht
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
Password
PasswordPassword
PasswordJTHSICT
 

Recommended

SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
Vortana Say
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
6502programmer
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Raghav Bisht
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
Password
PasswordPassword
PasswordJTHSICT
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
ijtsrd
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data Masking
SolidQ
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
Md Syed Ahamad
 
CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...
CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...
CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...
Wesleyan
 
C days2015
C days2015C days2015
C days2015
Nuno Loureiro
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Major relational database platforms available at the moment microsoft
Major relational database platforms available at the moment microsoftMajor relational database platforms available at the moment microsoft
Major relational database platforms available at the moment microsoft
My-Writing-Expert.org
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
HTS Hosting
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
Jawhar Ali
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
Chema Alonso
 
Ebook4
Ebook4Ebook4
Ebook4kaashiv1
 
Code injection
Code injectionCode injection
Code injectionGayatri Patel
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Always encrypted overview
Always encrypted overviewAlways encrypted overview
Always encrypted overview
SolidQ
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Extending Role Security in Analysis Services for SQL Server
Extending Role Security in Analysis Services for SQL ServerExtending Role Security in Analysis Services for SQL Server
Extending Role Security in Analysis Services for SQL Server
Kesavan Munuswamy
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
CNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
LokeshK66
 

More Related Content

What's hot

What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
ijtsrd
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data Masking
SolidQ
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
Md Syed Ahamad
 
CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...
CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...
CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...
Wesleyan
 
C days2015
C days2015C days2015
C days2015
Nuno Loureiro
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Major relational database platforms available at the moment microsoft
Major relational database platforms available at the moment microsoftMajor relational database platforms available at the moment microsoft
Major relational database platforms available at the moment microsoft
My-Writing-Expert.org
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
HTS Hosting
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
Jawhar Ali
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
Chema Alonso
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Always encrypted overview
Always encrypted overviewAlways encrypted overview
Always encrypted overview
SolidQ
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Extending Role Security in Analysis Services for SQL Server
Extending Role Security in Analysis Services for SQL ServerExtending Role Security in Analysis Services for SQL Server
Extending Role Security in Analysis Services for SQL Server
Kesavan Munuswamy
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 

What's hot (20)

What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data Masking
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
 
CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...
CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...
CRMUG UK November 2015 - Dynamics CRM Security Modelling and Performance by A...
 
C days2015
C days2015C days2015
C days2015
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Major relational database platforms available at the moment microsoft
Major relational database platforms available at the moment microsoftMajor relational database platforms available at the moment microsoft
Major relational database platforms available at the moment microsoft
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
 
Ebook4
Ebook4Ebook4
Ebook4
 
Code injection
Code injectionCode injection
Code injection
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Always encrypted overview
Always encrypted overviewAlways encrypted overview
Always encrypted overview
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
 
Extending Role Security in Analysis Services for SQL Server
Extending Role Security in Analysis Services for SQL ServerExtending Role Security in Analysis Services for SQL Server
Extending Role Security in Analysis Services for SQL Server
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 

Similar to Sql security

SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
CNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
LokeshK66
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
Kaustav Sengupta
 
Lecture 15-16.pdf
Lecture 15-16.pdfLecture 15-16.pdf
Lecture 15-16.pdf
FumikageTokoyami4
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Security
ijsrd.com
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web security
Moutasm Tamimi
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Data Base
Data BaseData Base
Data Base
Susan Tullis
 
Database security
Database securityDatabase security
Database security
CAS
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
IRJET Journal
 
Introduction to SQL Injections
Introduction to SQL InjectionsIntroduction to SQL Injections
Introduction to SQL Injections
Haim Michael
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
Smitha Padmanabhan
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based data
TELKOMNIKA JOURNAL
 
Database security issues
Database security issuesDatabase security issues
Database security issues
n|u - The Open Security Community
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 

Similar to Sql security (20)

SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
 
Lecture 15-16.pdf
Lecture 15-16.pdfLecture 15-16.pdf
Lecture 15-16.pdf
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Security
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web security
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Data Base
Data BaseData Base
Data Base
 
Database security
Database securityDatabase security
Database security
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
 
Introduction to SQL Injections
Introduction to SQL InjectionsIntroduction to SQL Injections
Introduction to SQL Injections
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReport
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based data
 
Database security issues
Database security issuesDatabase security issues
Database security issues
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 

More from Safwan Hashmi

MODERAN BLOCK CIPHER
MODERAN BLOCK CIPHER MODERAN BLOCK CIPHER
MODERAN BLOCK CIPHER
Safwan Hashmi
 
Dark web
Dark webDark web
Dark web
Safwan Hashmi
 
CEASER & VIGENERE CIPHER IMPLEMENTATION
CEASER & VIGENERE CIPHER IMPLEMENTATIONCEASER & VIGENERE CIPHER IMPLEMENTATION
CEASER & VIGENERE CIPHER IMPLEMENTATION
Safwan Hashmi
 
Incident managment plan
Incident managment planIncident managment plan
Incident managment plan
Safwan Hashmi
 
Business continuity plan
Business continuity planBusiness continuity plan
Business continuity plan
Safwan Hashmi
 
Sql injection
Sql injectionSql injection
Sql injection
Safwan Hashmi
 
Soap xp-wg
Soap xp-wgSoap xp-wg
Soap xp-wg
Safwan Hashmi
 
Database design
Database designDatabase design
Database design
Safwan Hashmi
 
Alpha beta prouning
Alpha beta prouningAlpha beta prouning
Alpha beta prouning
Safwan Hashmi
 
Color and color models
Color and color modelsColor and color models
Color and color models
Safwan Hashmi
 
Introduction to SOAP
Introduction to SOAPIntroduction to SOAP
Introduction to SOAP
Safwan Hashmi
 

More from Safwan Hashmi (16)

MODERAN BLOCK CIPHER
MODERAN BLOCK CIPHER MODERAN BLOCK CIPHER
MODERAN BLOCK CIPHER
 
Dark web
Dark webDark web
Dark web
 
CEASER & VIGENERE CIPHER IMPLEMENTATION
CEASER & VIGENERE CIPHER IMPLEMENTATIONCEASER & VIGENERE CIPHER IMPLEMENTATION
CEASER & VIGENERE CIPHER IMPLEMENTATION
 
Incident managment plan
Incident managment planIncident managment plan
Incident managment plan
 
Business continuity plan
Business continuity planBusiness continuity plan
Business continuity plan
 
Sql injection
Sql injectionSql injection
Sql injection
 
Soap xp-wg
Soap xp-wgSoap xp-wg
Soap xp-wg
 
Database design
Database designDatabase design
Database design
 
Alpha beta prouning
Alpha beta prouningAlpha beta prouning
Alpha beta prouning
 
Color and color models
Color and color modelsColor and color models
Color and color models
 
Introduction to SOAP
Introduction to SOAPIntroduction to SOAP
Introduction to SOAP
 
Democracy.s
Democracy.sDemocracy.s
Democracy.s
 
Democracy01
Democracy01Democracy01
Democracy01
 
Democracy.ppt
Democracy.pptDemocracy.ppt
Democracy.ppt
 
Calunization
CalunizationCalunization
Calunization
 
Development
DevelopmentDevelopment
Development
 

Recently uploaded

Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
joachimlavalley1
 
678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf
CarlosHernanMontoyab2
 
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdfAdversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Po-Chuan Chen
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
beazzy04
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
Atul Kumar Singh
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
BhavyaRajput3
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 

Recently uploaded (20)

Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
 
678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf
 
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdfAdversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 

Sql security

  • 1. + Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security  At 9:10, you’ll have 15 minutes to do on- line student ratings Office hours today: 10:30-12:30 Offce hours next week: M/W/F 10:30-12:30
  • 2. + Security: Access Control, SQL Injection Attacks Based upon slides from: classes.soe.ucsc.edu/.../SQL%20Injection%20Attacks.ppt homes.cs.washington.edu/~suciu/current-trends.ppt www.cse.iitb.ac.in/dbms/Data/.../DBSecurity-Overview.ppt
  • 3. + Data Security Protection from malicious attempts to steal (view) or modify data. The science and study of methods of protecting data (...) from unauthorized disclosure and modification Data Security = Confidentiality + Integrity
  • 4. + 4 Traditional Data Security Security in statistical databases = Theory  http://en.wikipedia.org/wiki/Statistical_database  In a statistical database, it is often desired to allow query access only to aggregate data, not individual records. Securing such a database is a difficult problem, since intelligent users can use a combination of aggregate queries to derive information about a single individual. Security in SQL = Access control + Views
  • 5. + 5 Access Control in SQL GRANT privileges ON object TO users [WITH GRANT OPTIONS] GRANT privileges ON object TO users [WITH GRANT OPTIONS] privileges = SELECT | INSERT | DELETE | . . . object = table | attribute REVOKE privileges ON object FROM users [CASCADE ] REVOKE privileges ON object FROM users [CASCADE ] [Griffith&Wade'76, Fagin'78]
  • 6. + Access Control in MySQL  http://dev.mysql.com/doc/refman/5.0/en/privilege-system.html  The primary function of the MySQL privilege system is to authenticate a user who connects from a given host and to associate that user with privileges on a database such as SELECT, INSERT, UPDATE, and DELETE  There are some things that you cannot do with the MySQL privilege system:  You cannot explicitly specify that a given user should be denied access. That is, you cannot explicitly match a user and then refuse the connection.  You cannot specify that a user has privileges to create or drop tables in a database but not to create or drop the database itself.  A password applies globally to an account.You cannot associate a password with a specific object such as a database, table, or routine.
  • 7. + 7 Views in SQL A SQL View = (almost) any SQL query  Typically used as: GRANT SELECT ON pmpStudents TO DavidRispoliGRANT SELECT ON pmpStudents TO DavidRispoli CREATE VIEW pmpStudents AS SELECT * FROM Students WHERE… CREATE VIEW pmpStudents AS SELECT * FROM Students WHERE…
  • 8. + Views in MySQL  http://dev.mysql.com/doc/refman/5.0/en/create-view.html  CREATE [OR REPLACE] [ALGORITHM = {UNDEFINED | MERGE | TEMPTABLE}] [DEFINER = { user | CURRENT_USER }] [SQL SECURITY { DEFINER | INVOKER }] VIEW view_name [(column_list)] AS select_statement [WITH [CASCADED | LOCAL] CHECK OPTION]  The DEFINER and SQL SECURITY clauses determine which MySQL account to use when checking access privileges for the view when a statement is executed that references the view.
  • 9. + 9 Summary of SQL Security Limitations:  Often no row level access control  Note: DB specific – fine-grained access control is an active area of improvement  Table creator owns the data (not always fair) … or spectacular failure:  Only ~30% assign privileges to users/roles  And then to protect entire tables, not columns Access control = great success story of the DB community...
  • 10. + MySQL security  http://dev.mysql.com/doc/refman/5.0/en/security.html Many aspects:  General factors that affect security.These include choosing good passwords, not granting unnecessary privileges to users, ensuring application security by preventing SQL injections and data corruption, and others. See Section 6.1,“General Security Issues”.  Security of the installation itself.The data files, log files, and the all the application files of your installation should be protected to ensure that they are not readable or writable by unauthorized parties. For more information, see Section 2.18,“Postinstallation Setup and Testing”.
  • 11. + MySQL security  Access control and security within the database system itself, including the users and databases granted with access to the databases, views and stored programs in use within the database. For more information, see Section 6.2,“The MySQL Access Privilege System”, and Section 6.3,“MySQL User Account Management”.  Network security of MySQL and your system.The security is related to the grants for individual users, but you may also wish to restrict MySQL so that it is available only locally on the MySQL server host, or to a limited set of other hosts.  Ensure that you have adequate and appropriate backups of your database files, configuration and log files. Also be sure that you have a recovery solution in place and test that you are able to successfully recover the information from your backups. See Chapter 7, Backup and Recovery.
  • 14. + What is a SQL Injection Attack? Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example:  SELECT productdata FROM table WHERE productname = ‘user input product name’; A SQL injection attack involves placing SQL statements in the user input
  • 15. + SQL Injection Attacks on the rise  https://www.net-security.org/secworld.php?id=13313  “Many, many sites have lost customer data in this way,” said Chris Hinkley, Senior Security Engineer at FireHost.“SQL Injection attacks are often automated and many website owners may be blissfully unaware that their data could actively be at risk.These attacks can be detected and businesses should be taking basic and blanket steps to block attempted SQL Injection, as well as the other types of attacks we frequently see.”
  • 16. + 2012 News of SQL attacks  http://www.mysqlperformanceblog.com/2012/07/18/sql-injection- still-a-problem/  An SQL injection vulnerability resulted in an urgent June bugfix release of Ruby on Rails 3.x.  Yahoo! Voices was hacked in July. The attack acquired 453,000 user email addresses and passwords. The perpetrators claimed to have used union-based SQL injection to break in.  LinkedIn.com leaked 6.5 million user credentials in June. A class action lawsuit alleges that the attack was accomplished with SQL injection.  SQL injection was documented as a security threat in 1998, but new incidents still occur every month. Making honest mistakes, developers fail to defend against this means of attack, and the security of online data is at risk for all of us because of it.
  • 17. + Some good sites to learn more Prevention guide (with sample code in many languages): http://bobby-tables.com/ Tutorials: (webinar) http://www.percona.com/webinars/2012-07-25-sql-injection-myths-and- fallacies http://www.netrostar.com/SQL-Injection-Attack http://www.unixwiz.net/techtips/sql-injection.html Cool site that let’s you try out attacks on a sample DB and explains why they work http://sqlzoo.net/hack/ Research paper on how to retrofit existing websites to combat SQL injection attacks http://lersse-dl.ece.ubc.ca/record/205/files/paper.pdf
  • 18. + An Example SQL Injection Attack Product Search:  This input is put directly into the SQL statement within the Web application:  $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” . $_POST[‘prod_search’] . “’”;  Creates the following SQL:  SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ = ‘x’  Attacker has now successfully caused the entire database to be returned. blah‘ OR ‘x’ = ‘x
  • 19. + A More Malicious Example  What if the attacker had instead entered:  blah‘; DROP TABLE prodinfo; --  Results in the following SQL:  SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP TABLE prodinfo; --’  Note how comment (--) consumes the final quote  Causes the entire database to be deleted  Depends on knowledge of table name  This is sometimes exposed to the user in debug code called during a database error  Use non-obvious table names, and never expose them to user  Usually data destruction is not your worst fear, as there is low economic motivation
  • 20. + Other injection possibilities Using SQL injections, attackers can:  Add new data to the database  Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site  Perform an INSERT in the injected SQL  Modify data currently in the database  Could be very costly to have an expensive item suddenly be deeply ‘discounted’  Perform an UPDATE in the injected SQL  Often can gain access to other user’s system capabilities by obtaining their password
  • 21. + Best defence If possible, use bound variables with prepared statements  Many libraries allow you to bind inputs to variables inside a SQL statement  PERL example (from http://www.unixwiz.net/techtips/sql- injection.html) $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); See http://bobby-tables.com for example code in many languages
  • 22. + How does this prevent an attack?  The SQL statement you pass to prepare is parsed and compiled by the database server.  By specifying parameters (either a ? or a named parameter like :name) you tell the database engine what to filter on.  Then when you call execute the prepared statement is combined with the parameter values you specify.  It works because the parameter values are combined with the compiled statement, not a SQL string.  SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters you limit the risk of ending up with something you didn't intend.
  • 23. + Other Defenses Use provided functions for escaping strings  Many attacks can be thwarted by simply using the SQL string escaping mechanism  ‘  ’ and “  ”  mysql_real_escape_string() is the preferred function for this Will not guard against all attacks  Consider:  SELECT fields FROM table WHERE id = 23 OR 1=1  No quotes here!
  • 24. + More Defenses Check syntax of input for validity  Many classes of input have fixed languages  Email addresses, dates, part numbers, etc.  Verify that the input is a valid string in the language  Some languages allow problematic characters (e.g., ‘*’ in email); may decide to not allow these  Exclude quotes and semicolons  Not always possible: consider the name Bill O’Reilly  Want to allow the use of single quotes in names Have length limits on input  Many SQL injection attacks depend on entering long strings
  • 25. + Even More Defenses Scan query string for undesirable word combinations that indicate SQL statements  INSERT, DROP, etc.  If you see these, can check against SQL syntax to see if they represent a statement or valid user input Limit database permissions and segregate users  If you’re only reading the database, connect to database as a user that only has read permissions  Never connect as a database administrator in your web application
  • 26. + AndYet More Defenses  Configure database error reporting  Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.)  Configure so that this information is never exposed to a user

Editor's Notes

  1. Views hide sensitive data by omitting rows, columns, breaking associations, or computing aggregates
  2. One of the most significant changes in attack traffic seen between Q1 and Q2 2012 was a 69% increase in SQL Injection attacks. Rising from 277,770 blocked attacks in the first quarter, to 469,983 between April and June, this type of attack is frequently cited as an attack vector of choice for data thieves.