SQL Injection Attacks: Are You Safe? (Page 1 of 5 )
The database is the heart of most web applications: it stores the data needed for the web sites and applications to "survive". It stores user credentials and sensitive financial information. It stores preferences, invoices, payments, inventory data, etc. It is through the combination of a database and web scripting language that we as developers can produce sites that keep clients happy, pay the bills, and most importantly run our businesses.
But what happens when you realize that your critical data may not be safe? What happens when you realize that a new security bug has just been found? Most likely you either patch it or upgrade your database server to a later, bug-free version. Security flaws and patches are found all the time in both databases and programming languages, but I bet 9 out of 10 of you have never heard of SQL injection attacks...?
In this article I will attempt to shed some light on this under-documented attack, explaining what an SQL injection attack is and how you can go about preventing one from occurring within your company. By the end of this article you will be able to identify situations where an SQL injection attack may allow unauthorized persons to penetrate your system. You will also learn ways to fix existing code to prevent an SQL injection attack from occurring.
In this article I will focus specifically on Microsoft SQL Server 2000 and SQL injection attacks, however other databases such as MySQL and Oracle are also vulnerable, so if you're running another database system then you can still use the contents of this article to protect your database.