Securing your Website from SQL Injection Attacks
This is a guest post written by Sunny Popali who writes for MattressNextDay.co.uk.
One of the easiest (and therefore the most common) methods for attacking your website is through an SQL injection. An SQL injection attack (SQLIA) involves introducing a malicious code to your web server using an input field. The malicious code can be a command that will enable unauthorized users to view restricted data. It can even bypass authentication parameters, dump your database into another server, or remove entire sectors of data from your files.
The SQL injection attack is widely recognized as one of the most prevalent forms of web application vulnerability. There are five man subclasses of SQL injection attacks based on the malicious code’s deployment:
- Classic SQLIA
- DBMS-specific SQLIA
- Compounded SQLIA
- Inference SQL Injection
- Interacting with SQL Injection
How SQLIA impacts websites
Admittedly, the issue of SQLIA can seem hard to understand for those who are not well-versed in code. If the ramifications of an SQLIA are not that clear to you, then the following real-life examples should give you a better idea of the gravity of an SQLIA threat.
- Back in 2005, a code-savvy teenager broke into the website of an information security magazine and stole customer information using SQL injection. A year after that, a ring of Russian criminals infiltrated the Rhode Island government website and stole credit card information from Americans who used their cards to make online payments to various state agencies.
- In 2008, a SQLIA enabled a hacker to download more than ten thousand Social Security numbers to registered sexual offenders in Oklahoma. As a result, the government website for Oklahoma’s Sexual and Violent Offender Registry was forced to shut down in order to implement damage control.
There are many more instances being reported every year, including those which involved major companies and sensitive financial information.
Securing your website
A determined hacker will likely spend hundreds of hours trying to find weak spots in your website but keeping your bases covered will keep you reasonably protected against such attempts. According to most experts, one way by which you can secure your website against SQLIA is by centralizing all your connections to one page, mostly by putting in the ‘include ()’ function. By doing so, all your queries will need to be in the same format and there are fewer chances of leaving vulnerable spots open.
Another method for strengthening your site security is to declare variables before using them in a script. While many programming languages force you to do this anyway, PHP does not. And of course, once you have cleaned all variables (start from the beginning of each page, for best practice) it pays to check and re-check.
Sunny Popali is Global Brand Manager for Mattressnextday -The UK’s no 1 mattress brand, Mattressnextday sells double mattress size, single kid’s mattress, comfortable double mattress, and soft memory foam mattress.