Tips to Handling SQL Injection Attacks
Tips to Handling SQL Injection Attacks - SQL injection is a type of hacking action on computer security where an attacker can gain access to a database within the system by exploiting a security hole that occurs in the database layer of an unprotected application.
The way used by the attacker is actually very simple, ie the attacker tries to insert invalid queries into the input field or through the URL. Given the simplicity of this technique there are some programmers who sometimes ignore it.
In general, SQL syntax is often used in the process of developing or making an application is sintak which is included in the category of DML command (Data Manipualtion Language) ie INSERT, UPDATE and DELETE. for example we have a web with URL like this:
The command to display the record from the URL scheme as above usually is like this:
Then on writing php syntax will be like this:
In the normal syntax execution process, the database server will give back results according to which parameters are sent. But if we modify the parameters sent through the url with a special character that is single quote ( ' ) like this:
Then the SQL query will not be executable and the database server will give back the form of error messages as follows:
Because behind the scenes, the SQL Query that runs is as below:
And this is the gap of a site and easily exploited by SQL Injection method. what else if by using SQL ijection tools that simplify the work of the hacker.
There are several ways we can do to overcome SQL injection attacks, we can create anti-SQL injection script by utilizing the function of the banana of mysql_real_escape or mysql_real_escape_string. how its use is as follows:
In addition to the above, there are some applicative tips that you can use to secure your website from SQL injection attacks, here are his tips:
Just as knowledge of the tools that you can use to test the security of the application you are developing related to SQL injection problems, here are the tools that are often used:
Similarly article about Tips to Overcome SQL Injection Attack, hopefully with a short enough article this can be useful for us all.
The way used by the attacker is actually very simple, ie the attacker tries to insert invalid queries into the input field or through the URL. Given the simplicity of this technique there are some programmers who sometimes ignore it.
Know How SQL Injection Works
In general, SQL syntax is often used in the process of developing or making an application is sintak which is included in the category of DML command (Data Manipualtion Language) ie INSERT, UPDATE and DELETE. for example we have a web with URL like this:
http://www.domain.com/index.php?id=10
The command to display the record from the URL scheme as above usually is like this:
select * from tblBerita where id = 10
Then on writing php syntax will be like this:
$SQL="select * from tblBerita where id = '".$_GET['id']."'";
In the normal syntax execution process, the database server will give back results according to which parameters are sent. But if we modify the parameters sent through the url with a special character that is single quote ( ' ) like this:
http://www.website.com/index.php?id=10'
Then the SQL query will not be executable and the database server will give back the form of error messages as follows:
#1064 - You have an error in your SQL syntax;
check the manual that corresponds to yourMySQL server version for the right syntax to use near ''' at line 1
Because behind the scenes, the SQL Query that runs is as below:
select * from tblBerita where id ='10''
And this is the gap of a site and easily exploited by SQL Injection method. what else if by using SQL ijection tools that simplify the work of the hacker.
Secure From SQL Injection Attacks
There are several ways we can do to overcome SQL injection attacks, we can create anti-SQL injection script by utilizing the function of the banana of mysql_real_escape or mysql_real_escape_string. how its use is as follows:
$id = mysql_real_escape_string($_GET['id']);
In addition to the above, there are some applicative tips that you can use to secure your website from SQL injection attacks, here are his tips:
- Limit input box length (if possible), with
- how to limit it in the program code, so the beginner cracker will be confused for a moment to see his input box can not be inject with a long command.
- Filter input entered by the user, especially the use of single quotation marks (Input Validation).
- Turn off or hide error messages that come out of SQL Server running.
- Turn off standard facilities like Stored Procedures, Extended Stored Procedures if possible.
- Change "Startup and run SQL Server" using the low privilege user on the SQL Server Security tab.
Tools Used For SQL Injection
Just as knowledge of the tools that you can use to test the security of the application you are developing related to SQL injection problems, here are the tools that are often used:
- BSQL Hacker is a tool developed by Portcullis Labs, BSQL Hacker is a SQL injection designed to explore almost all data base types.
- Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on web pages
Similarly article about Tips to Overcome SQL Injection Attack, hopefully with a short enough article this can be useful for us all.
Post a Comment for "Tips to Handling SQL Injection Attacks"
Provide comments relevant to the posted articles and provide critiques and suggestions for the progress of the blog