\"SQL Injection Attacks and Preventions\" From the e-Activities, describe the ma

Question

"SQL Injection Attacks and Preventions"

From the e-Activities, describe the major concerns that information security professionals and SQL database administrators should have with SQL injection attacks. Additionally, provide the key reasons why you believe such attacks are popular among hackers, both malicious and ethical. Justify your response. Suggest what you believe to be the two (2) most critical best practices for protecting against SQL injection attacks, and establish whether or not you believe that there are significant efforts for security professionals who implement these best practices. Provide a rationale for your response.

Explanation / Answer

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution .

SQL injection attacks allow attackers to

1.Spoof identity

2.Tamper existing data

3.Cause repudiation issues such as voiding transactions or changing balances

4.Allow complete disclosure of all data on the system

5.Destroy the data or make it unavailable,

6.Become administrators of the database server and cause damage.

These attacks give the hacker control of entire server ,database which involves private data of people like bank account details which e may use it for his personal use.He may also get access to other sensitive details also.

Best practices for fighting against SQL injection attacks

Use stored procedures:

Using stored procedures, the attacks will fail because the application lacks the permissions necessary to access or control the tables.plus, it also type-checks input parameters, which can help mitigate an attack if a hacker tries to inject a value that violates the regular type.

Using  dynamic SQL only when we cannot avoid it:

It increases SQL injection attack,when command language is concatenated with user input.One way to reduce the risks associated with dynamic SQL is by properly escaping all user input. Escaping user-supplied values helps to make special characters harmless that can be passed in with that input, such as brackets , single or double quotes. These characters, when used with other language elements, can pose a threat to the database. To escape these characters, use the QUOTENAME or REPLACE function as appropriate to handle identifiers and string values.

using the principle of least access when granting the database access:

Every database account should be assigned the least privileges necessary to access the database. Under no circumstance we should assign an administrative account to an application.or database.

Use testing and monitoring to guard against SQL injection

No matter how careful we are in protecting against SQL injection attacks, we should still run our database code through the necessary checks to make sure it's safe.thorough testing has to be done.

Related Questions

Navigate

• Browse (All)
• Browse #
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.