SQL injection

Structured query language injection

"This server is vulnerable to an SQL injection attack. Make sure the input SQL query is validated."

Problem

An SQL injection attack is a type of vulnerability in the code of websites and web applications. This vulnerability allows an attacker to hijack back-end processes and interfere with the queries that an application makes to its database.

SQL injection attacks happen when data enters a program from an untrusted source. The data is then used to dynamically construct an SQL query.

When SQL injection attacks are successful, attackers can:

  • Log in to an application or a website front-end without a password.
  • Access, modify, and delete stored data from secured databases.
  • Create their own database records or modify existing records, paving the way for more attacks.

Solution

Prevent SQL injection attacks by:

  1. Using prepared statements (with parameterized queries) to make sure that the parameters (inputs) passed into SQL statements are handled in a safe manner.

  2. Allowlisting input data validation (do not blocklist). Do not filter user input based on blocklists. Attackers almost always find a way to bypass your list. If possible, verify and filter user input using strict allowlists only.

  3. Escaping special characters from input parameters when parameterized queries and validation of input data are not possible.

  4. Enforcing the principle of least privilege, strengthening access controls to your website to reduce security threats.

    To implement this principle:

    • Use the minimum set of privileges on your systems to perform an action.
    • Give privileges only for as long as the action is needed.
    • Do not give administrator access rights to application accounts.
    • Minimize the privileges of each database account in your environment.

Über

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.