Which of the following is the best strategy to prevent SQL injection attacks against a web application? (Source: Wentz QOTD)
A. Implement form-based authentication using the POST HTTP method
B. Employ an application framework that supports parameterized queries
C. Accept TLS/SSL connections only
D. Verify if the injections are automated by a robot
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Employ an application framework that supports parameterized queries.
- Form-based authentication using the POST HTTP method is a common way to send username and password to the backend server for authentication. It doesn’t help.
- TLS/SSL encrypts the malicious SQL code as normal data. It doesn’t help.
- After clicking the “I’m not a robot” icon, the attacker can go on typing in malicious SQL code. It doesn’t help.
- The best way to prevent SQL injection is to validate user inputs. All invalid characters are not allowed.
- Parameterized queries don’t really validate user inputs; it just treats data as data so that raw data won’t become SQL queries.
SQL injection occurs when a programmer concatenates strings to assemble SQL instructions. Strings are plain data, while SQL instructions are executable code.
- Users can type in snippets or fragments of SQL code as inputs in an HTML form, which will be posted to the back-end server for processing.
- If the programmer treats the SQL code posted from the attacker as ordinary data and combines them with the primary SQL instructions, the assembled SQL code could be executed successfully. That’s how SQL injection works.
SQL Query Assembled from Strings
The following is an example that combines strings into a SQL query without the employment of SQL parameters. The user inputs, $email and $password are expanded to raw strings (depicted as the following text in red) and combined into a SQL query.
SELECT * FROM users WHERE email = 'xxx@ xxx.xxx' AND password = md5('xxx') OR 1 = 1-- ]');
Parameterized Query Example
@Age is a parameter used in the SQL query, @SqlInstruction.
DECLARE @SqlInstruction NVARCHAR(500);
SET @SqlInstruction = N'SELECT * FROM Users WHERE Age = @Age;';
EXEC sp_executesql @SqlInstruction , N'@Age INT', 99;
- Role-based Access Control vs Attribute-based Access Control: How to Choose
- RBAC vs. ABAC Access Control Models: What’s the Difference?
- SQL Injection Example – Parameterized Queries – Hindi
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
A. 使用POST HTTP方法實現基於表單的身份驗證