- Denish Patel
- 20th January 2010
Last couple of months, I came across two incidents of SQL injections due to most common errors by IT professionals.
“SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.”
Most common SQL injections are:
- Most common is Quote or Special character handling
2. Incorrect type handling
- Brazil incident fall into this category
3. Vulnerabilities inside the database server
- WSJ incident fall into this category : BAD password!
4. Blind SQL injection
- Result of this attack is not visible to hacker but it can help to exploit more SQL injections.
- conditional responses
- conditional errors
- execute long running queries
You can avoid these catastrophic SQL injections by little care during the web application coding such as using bind variables, verify input values and take care of escaping characters. Database level security such as password and access control also help to avoid SQL injections.
I hope this will save you from future SQL injection 🙂
- Connection Scaling
- PSQL Helper: Managing Connections and Simplifying Queries
- Vacuum Those MVs!
- Working With Repmgr: Using Other 3rd Party Tools for Setting up a Standby
- Working with Amazon Aurora PostgreSQL: dag, standby rebooted again!
- Working with Amazon Aurora PostgreSQL: what happened to the stats?
- How to set application_name for psql command line utility?
- Is there a limit on number of partitions handled by Postgres?
- Postgres 11 partitioning
- Audit logging with Postgres partitioning