You can prevent SQL injection by using special database features to separate commands from data, or by keeping code vulnerable to SQLi out of your codebase.
SQL injection takes place when database software can’t tell the difference between arbitrary data from the user and genuine commands from the application. When an attacker injects commands into the data they send to a database, they can take database control away from the application owner. This can lead to data corruption, leaks of confidential data, or the bypass of essential logic (e.g., authentication, authorization checks).
The good news is that SQL injection is preventable using a special feature that allows database software to separate application commands from user-supplied data. Or by preventing untrusted user data from going directly to the database.
Let’s look out onto a variety of actionable ways to steer clear of SQL injection attacks:
Identify SQL injection attack vectors for your application and database solution.
- Check the National Vulnerability Database for known bugs in your chosen database solution.
- After selecting the database solution, analyze available safety features (e.g., parameterized queries). These allow the database to ignore any commands injected into data that the user supplies.
- Analyze the application’s design to identify potential SQL injection attack vectors. Additionally, highlight data paths where commands containing tainted data may be re-used to attack queries that don’t directly accept user data.
Develop SQL query best practices and protections.
- Write a set of coding standards that anticipate and protect common use cases for SQL database queries.
- Develop and approve safe SQL query templates and make them available for developer use.
- Identify database use cases that are unique to your application. Also develop custom validation or query building code if parameterization queries aren’t enough.
- Create or customize automated source code scanning tool rules to check for vulnerabilities as code is being written.
Educate developers about the SQL risks and protection methods.
- Ensure that developers are familiar with application-specific threats and data sources.
- Provide developers with foundational training about the risks and general mitigations involving SQL injection.
- Specify coding standards and standard SQL query templates. Run training sessions on the standards and templates so that developers clearly understand how to utilize them.
Find problems in the code.
- Perform automated testing to detect SQL injection vulnerabilities in the source code.
- Implement manual reviews to ensure that coding standards are followed when a SQL query appears in the code.
Test for SQL injection.
Don’t add SQL injection to your legacy.
- Make sure that safeguarded or privileged SQL queries and routines aren’t exposed to tainted data as new functionalities are added over the life of the application.
- Be vigilant for new SQL injection vulnerabilities that may lurk in third-party software or libraries that your applications depends on.
- Have a plan to securely fix any SQL injection vulnerabilities that make it into production.
- SQL injection is a serious concern. However, with the proper steps, prevention and mitigation can keep your applications securely on course.