The SQL Injection attack is a frequent way that the bad guys try to get onto your website and steal information. To use this attack, the hacker adds additional SQL commands to a page request and the web server then tries to execute those commands within the back end database.
So, what should you do to protect your website against SQL Injection attacks? There are a number of simple steps that you can take:
- Make sure that your web developers are validating any input fields on the website. For example, on a Contact Us form, the fields that the website visitor fills out should be checked for script tags and other malicious code before the entries are passed to the database.
- Make sure that your web developers use stored procedures (or at least parameterized queries) for all SQL database code used on the website. This type of SQL code does not allow hackers to insert their own code into the database logic.
- Make sure that passwords are being stored encrypted in the database. In the NASA example, if the passwords had been stored encrypted, the effects from the researcher/hacker breaking into the site would have been minimized.
- Make sure that the account used by the website to access the database has the least privileges that it needs. For example, if the account only has the ability to run SQL stored procedures that you have created, the hacker will be hard pressed to get more information out of the database then he should. Never allow an admin account to be used to connect your website to the database!
As always, feel free to contact me if you have any questions.
Posts
