A steady increase in the number of SQL injection attacks means that companies should review their applications for vulnerabilities, and ensure vulnerabilities are patched. Network Box has issued advice to customers on protecting against SQL injection attacks to customers who operate public web servers to exercise caution, particularly those accessible over the Internet.
SQL injection attacks are extremely hard to stop at the gateway, as the attacks come from within a genuine application that has been exploited. Customers should review application scripts and ensure they are up to date with the most recent patches, on a regular basis.
Network Box’s advice to companies, in addition to checking up-to-date patches for applications, is to deploy three main methods to prevent such attacks:
- Use “parameterised’ SQL statements – put clear parameters into SQL instruction.
- Validate each parameter ID. For example, the ID parameter must be a number, or is restricted to certain terms.
- Use “escape’ parameters before insertion to the SQL statement. This ensures the commands inserted by the hacker are treated as a variable rather than a command. So instead of comparing the id with “XX’ and then executing “truncate table news’, the id is compared with “XX; truncate table news’ which is not a legitimate id and is rejected.