How To Protect Your Websites Against SQL Injection Attacks

How To Protect Your Websites Against SQL Injection Attacks

If not protected properly, websites can be vulnerable to SQL injection attacks. A layered approach to thwart SQL injection attacks provides a good defense. The following provide just some ways that you can adopt to start protecting your websites.

1. Sanitize the input

The first thing you need to do is to make sure that any inputs that your website receives from users do not contain dangerous characters or code.

("*^';&>/)

One thing you might want to do is to maintain a whitelist of accepted inputs. This varies from site to site, as it depends on what should be the expected response.

A side benefit of this is that not only SQL Injection attacks are defended against, but it’ll also avoid errors from being stored in your database. Note that this method requires some thought, as some dangerous characters could potentially be valid. For example, O’Brian is a last name, and it includes a quote (a dangerous character).

2. Use prepared statements

Besides sanitising the user’s input, prepared statements are another way of separating user input from the actual SQL statement. This allows you to easily apply validation rules to user input.

3. Configure error handling

Attackers should not be provided with information that would help them in their attacks, so you need to make sure that error messages are consistent and do not contain additional information, such as debugging information. This will not stop an attacker, but will greatly slow him down.

4. Adhere to proper access control

As with other aspects of computing security, you should always make sure that accounts have the minimum amount of privileges for the tasks that are needed to be performed. A database doesn’t always have to be run as a database administrator; you can have it run as a normal user with restricted privileges. This way, even if an attack is successful and the user credentials are compromised, the attacker will still not have access to the rest of the database.

While these cover some ways of protecting your website against SQL Injection attacks, this is by far a comprehensive list. There are always other ways to attack a server, and with other aspects of security, having several other layers of defensse is advisable.

, , , ,

About Site Fixit!

Sam is a professional web designer and web developer. He has over 15 years of experience with web-related technologies, and loves making things work.

View all posts by Site Fixit!

No comments yet.

Leave a Reply