What is SQL Injection?
One of the most common and most destructive type of attack is SQL Injection. This can be as simple
as deleting data, retreiving data, inputting data such as spam advertisments or general website defacement.
By definition SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an application. The vulnerability is
present when user input are either incorrectly filtered for string literal escape characters
embedded in SQL statements or user input is not strongly typed and thereby unexpectedly
executed. SQL Injection is an instance of a more general class of vulnerabilities that can occur
whenever one programming or scripting language is embedded inside another. SQL injection
attacks are also known as SQL insertion attacks.
How can you prevent SQL Injection
SQL Injection can be prevented quite simply. The developer must not generate the SQL commands
dymanically but instead paramterize the SQL Query. This means that since the application knows in advance
that it will only accept user inputs into already created SQL queries and therefore cannot execute
custom SQL statements. It is very important that all websites are secured against SQL Injection as automated bots can attack
thousands of websites concurrently.
WebSafe will test for SQL Injection:
Our security audit will attempt to place non-malicious SQL inputs into your websites input fields
to see if a SQL or Blind SQL injection is possible. Reporting the best method of defence depending on the website technology used.