SQL Injection Prevention

G5 Cyber Security

2 months ago

TL;DR

This guide shows you how to protect your web application from SQL injection attacks by using prepared statements and input validation.

What is SQL Injection?

SQL injection happens when attackers can insert malicious SQL code into your database queries. This could let them steal data, change information, or even take control of your server. It’s a serious security risk!

How to Prevent SQL Injection

Use Prepared Statements (Parameterized Queries)

Prepared statements separate the SQL code from the data you’re inserting. This means the database treats user input as *data*, not as part of the query itself.
Most programming languages and database connectors have built-in support for prepared statements.
Example (PHP with PDO):

$stmt = $pdo->prepare('SELECT * FROM users WHERE username = ? AND password = ?');
$stmt->execute([$username, $password]);
$user = $stmt->fetch();

Input Validation

Even with prepared statements, it’s good practice to validate user input. This means checking that the data is what you expect before using it in your queries.
Types of validation:

Data Type Validation: Make sure numbers are actually numbers, dates are valid dates, etc.
Length Validation: Limit the length of input fields to prevent excessively long strings.
Allowed Characters: Only allow specific characters in certain fields (e.g., alphanumeric for usernames). Use a whitelist approach – define what *is* allowed rather than trying to block everything bad.

Example (PHP):

$username = $_POST['username'];
if (!preg_match('/^[a-zA-Z0-9]+$/', $username)) {
  // Invalid username - handle the error
  echo 'Invalid username format.';
} else {
  // Proceed with prepared statement (as above)
}

Escaping User Input (Generally Avoid)

While escaping can help, it’s not as reliable as prepared statements. It’s easy to make mistakes and leave vulnerabilities open.
If you absolutely *must* use dynamic SQL (which is strongly discouraged), use the database connector’s built-in escaping functions.

Least Privilege Principle

Make sure your database user accounts have only the necessary permissions to perform their tasks. Don’t give them full administrative access if they don’t need it.

Regular Security Audits & Updates

Periodically review your code for potential vulnerabilities and keep all software (databases, web servers, frameworks) up to date with the latest security patches.

Testing for SQL Injection

You can test if your application is vulnerable by trying to inject malicious SQL code into input fields. Be careful when testing – do this in a safe development environment, not on a live server!

Simple Test: Try entering `’ OR ‘1’=’1` into a username or password field. If it returns results unexpectedly (e.g., logs you in without the correct credentials), you likely have a vulnerability.