SlideShare a Scribd company logo

Sql injection

Download as PPTX, PDF
U
Uzair ul Haq Khan

This document discusses SQL injection, including how it works, examples of attacks, impact, types of SQL injection attacks, and defenses against SQL injection. SQL injection allows malicious SQL code to be injected into an entry field of a web application to gain unauthorized access to the underlying database. It remains a common web application security vulnerability. The document recommends data sanitization, web application firewalls, limiting database privileges, and using prepared statements instead of constructing SQL queries with user input to help defend against SQL injection attacks.

Software
1 of 16
• uzair
• Introduction • Attack Intent • Real World Examples • How SQL Injection works? • Video • Impact of SQL injection • Types of attacks • Hack a website • Defence Against SQL Injection • Other Injection Types • SQL Injection tools • Conclusion
• On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two Russians with the theft of 130 million credit card numbers using an SQL injection attack. • In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL database server. Over 500,000 sites were exploited.
• The ability to inject SQL commands into the database engine through an existing application • SQL injection is the use of publicly available fields to gain entry to your database. • This is done by entering SQL commands into your form fields instead of the expected data. • Improperly coded forms will allow a hacker to use them as an entry point to your database
Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’
What it is? SQL Injection allows a programmer user specified query to execute in the database
• Shell injection. • Scripting language injection. • File inclusion. • XML injection. • XPath injection. • LDAP injection. • SMTP injection.
• BSQL Hacker • SQLmap • SQLninja • Safe3 SQL Injector • SQLSus • Mole • Havij
1. Comprehensive data sanitization • Web sites must filter all user input • For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address. • Its SQL injection defenses can catch most attempts to sneak SQL through web channels.
2. Use a web application firewall • A popular example is the free, open source module ModSecurity. • ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests.
3. Limit database privileges by context • Create multiple database user accounts with the minimum levels of privilege for their usage environment. • For example, the code behind a login page should query the database using an account limited only to the relevent credentials table. • This way, a breach through this channel cannot be leveraged to compromise the entire database.
4. Avoid constructing SQL queries with user input • Even data sanitization routines can be flawed. • Using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.
• The technique is based on malformed user-supplied data • Transform the innocent SQL calls to a malicious call • Cause unauthorized access, deletion of data, or theft of information • All databases can be a target of SQL injection and all are vulnerable to this technique. • The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
• https://www.owasp.org/index.php/Query_Parameterization_Cheat_S heet#Parameterized_Query_Examples • www.slideshare.net • www.beyondsecurity.com • www.breakthesecurity.cysecurity.org • http://www.esecurityplanet.com/ • http://resources.infosecinstitute.com/best-free-and-open-source-sql- injection-tools/

Recommended

Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
Shubham Takode
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
Raghunath G
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 

Recommended

Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
Shubham Takode
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
Raghunath G
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoS
Emil Tan
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
Fun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. CastroFun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. Castro
Mohammad Tayseer
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
Secure Code Warrior
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Edugeeklogontracker
EdugeeklogontrackerEdugeeklogontracker
Edugeeklogontracker
EduGeek.net
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
Nat Sakimura
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
Brute force
Brute forceBrute force
Brute force
Prajwal Panchmahalkar
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
penetration Tester
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
Web security
Web securityWeb security
Web security
dogangcr
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 

More Related Content

What's hot

Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 
Fun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. CastroFun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. Castro
Mohammad Tayseer
 
Edugeeklogontracker
EdugeeklogontrackerEdugeeklogontracker
Edugeeklogontracker
EduGeek.net
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
Nat Sakimura
 

What's hot (16)

SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoS
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
Fun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. CastroFun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. Castro
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Edugeeklogontracker
EdugeeklogontrackerEdugeeklogontracker
Edugeeklogontracker
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
Brute force
Brute forceBrute force
Brute force
 

Similar to Sql injection

cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 

Similar to Sql injection (20)

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Web security
Web securityWeb security
Web security
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless Hacking
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
a
aa
a
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Security
 

Recently uploaded

What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 

Recently uploaded (20)

WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in UgandaWSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in Uganda
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 

Sql injection

  • 2. • Introduction • Attack Intent • Real World Examples • How SQL Injection works? • Video • Impact of SQL injection • Types of attacks • Hack a website • Defence Against SQL Injection • Other Injection Types • SQL Injection tools • Conclusion
  • 3. • On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two Russians with the theft of 130 million credit card numbers using an SQL injection attack. • In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL database server. Over 500,000 sites were exploited.
  • 4. • The ability to inject SQL commands into the database engine through an existing application • SQL injection is the use of publicly available fields to gain entry to your database. • This is done by entering SQL commands into your form fields instead of the expected data. • Improperly coded forms will allow a hacker to use them as an entry point to your database
  • 5. Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
  • 6. Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’
  • 7. What it is? SQL Injection allows a programmer user specified query to execute in the database
  • 8.
  • 9. • Shell injection. • Scripting language injection. • File inclusion. • XML injection. • XPath injection. • LDAP injection. • SMTP injection.
  • 10. • BSQL Hacker • SQLmap • SQLninja • Safe3 SQL Injector • SQLSus • Mole • Havij
  • 11. 1. Comprehensive data sanitization • Web sites must filter all user input • For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address. • Its SQL injection defenses can catch most attempts to sneak SQL through web channels.
  • 12. 2. Use a web application firewall • A popular example is the free, open source module ModSecurity. • ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests.
  • 13. 3. Limit database privileges by context • Create multiple database user accounts with the minimum levels of privilege for their usage environment. • For example, the code behind a login page should query the database using an account limited only to the relevent credentials table. • This way, a breach through this channel cannot be leveraged to compromise the entire database.
  • 14. 4. Avoid constructing SQL queries with user input • Even data sanitization routines can be flawed. • Using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.
  • 15. • The technique is based on malformed user-supplied data • Transform the innocent SQL calls to a malicious call • Cause unauthorized access, deletion of data, or theft of information • All databases can be a target of SQL injection and all are vulnerable to this technique. • The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
  • 16. • https://www.owasp.org/index.php/Query_Parameterization_Cheat_S heet#Parameterized_Query_Examples • www.slideshare.net • www.beyondsecurity.com • www.breakthesecurity.cysecurity.org • http://www.esecurityplanet.com/ • http://resources.infosecinstitute.com/best-free-and-open-source-sql- injection-tools/