Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

SQL injection attacks are not a new type of attack. In fact, they are a fairly o

ID: 3756645 • Letter: S

Question

SQL injection attacks are not a new type of attack. In fact, they are a fairly old and well-understood attack that virtually all security practitioners are aware of and adept at protecting against. In spite of that, multiple high profile targets continue to fall prey to such simple and straightforward attacks.

What can we infer about security practices and protocols at the companies that are affected? Is security hard, or is it impossible? If we cannot defend against simplistic, known attacks, how can we be prepared to repel more sophisticated attacks?

Explanation / Answer

Yes, I agree. SQL injection is an old type of technique wherein malicious code is being "INJECTED" to the database so that it helps for access violation, hacking and other forms of vulnerabilities. Yes, it is a simple type of attack but still we fail to completely prevent from this attack.

There are many reasons behind this. Some of the main reasons are given below.
1. The first main reason is lack of validation. The user's input should be validated before sending a request to the database. Most of the companies still do not have complex data validation techniques on the first place. It is the root cause of the issue.

2. The SQL queries which is passed from user's input with the purpose of injecting malicious code into it. The SQL query is dynamic in nature. It dynamically executes it. We shouldn't allow dynamic query execution. The code should be written and wrapped in such a way that it uses prepared statements, not dynamic SQL statements.

3. We are also lagging in updating our systems. There are many vulnerabilities and new methods used to perform SQL attacks. We are lagging in updating patches.

4. Privileges : It is already known that creating administrator account with advanced privileges not recommended. The standard account should be created for administrator and privileges obtained when needed.

5. Information should be encrypted with advanced encryption algorithms. Even though, attacker gains access to database he do not have any information that can be understood.

6. Keeping complicated passwords and changing it often also would help.

We are failing to prevent SQL injection attack because of the above reasons. It is utmost difficult for us to handle sophisticated attacks in the future.

Related Questions

SQL Query help: Each branch has many employees but only one branch manager. Each
Question #3710702
SQL Query of following table: Tables are in attached images: 1. List the details
Question #3560164
SQL Query on Multiple Tables—JOIN 1. Display employee number, first name, middle
Question #3736856
SQL Query question... Hi, hope someone can help with this I have a table called
Question #3731807
SQL Question - it\'s a basic one, but I need some help. I have to write raw SQL
Question #647171
SQL Question 5 Examine the table below and write the SQL command that will displ
Question #3745320
SQL Question; CREATE TABLE department (DEPARTMENT_ID NUMBER (4) PRIMARY KEY, DEP
Question #3859771
SQL Review Exercise Spring 2015 Given a company database schemas as below: EMPLO
Question #638852

Navigate

Previous
SQL in Oracle. Write, exicute and print a query to list student names and grades
Next
SQL injection on a search The way Search performs its task is by executing the f

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.