posted on Wednesday, April 21, 2004 12:10 AM by demiliani

Defending against SQL Injection Attacks

In these days I've mentioned the SQL Injection attack to a big italian site, and I've also put in evidence a simple site I've received via email from a friend that seems to be ready to be hacked.

SQL Injection is a common type of attack agains site that use databases and you've to be ready to prevent these possible attacks.

My personal advices to prevent SQL Injection attacks are the follow:

  • Test well any possible user input and check that no dangerous code could be injected into your SQL instructions.
  • Look your URL that receive parameters (something like http://www.mysite.com/index.asp?id=1 ) and check possible dangerous parameters.
  • If possible, escape all single quotes (send the character to the SQL database preceded by a backslash (\) character to indicate that the character is not to be interpreted by the server but just included as part of a string)
  • If you have some TextBox where user enter text (and you pass this to SQL queries), check the MaxLenght property of these TextBox to avoid that a user can enter more than the maximum amount of necessary characters.
  • Check the character inserted on the TextBox: they must be charactes that are admitted for your application.
  • Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
    - Input from users
    - Parameters from URL
    - Values from cookie
  • If you have numeric value, convert it to Integer or check if it's an Integer (using something like IsNumeric) before parsing it into SQL statement.

These are little advices for your application, but there are also some things that is good to do at SQL Server level.

The default installation of SQL Server is running as SYSTEM, the equivalent to Administrator Level in Windows. An attacker could use stored procedures like master..xp_cmdshell to perform remote execution (by intruding strings like ‘; exec master..xp_cmdshell ‘............’-- to your SQL query).

What you can do is:

  • Run your SQL Server using low privilege.
  • Delete stored procedures that you are not using (like master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask).

I hope this post could be a little alert to check your applications.

Comments