From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 5 Jun 2006 17:23:43 +0200
Subject: [REVS] Advanced Topics on SQL Injection Protection
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060606095405.754CF57B0@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Advanced Topics on SQL Injection Protection
------------------------------------------------------------------------
SUMMARY
SQL injection is now one of the most common attacks in the Internet.
Simply go to Yahoo! or Google and search for "SQL injection" and we can
find tones of related documents.
Although the awareness of SQL injection is rising, still many people do
not have very concrete ideas on how to prevent SQL injection attack.
This article is not going to tell you what SQL injection is, nor going to
tell you the latest techniques in SQL injection attacks, but more
important, how to prevent SQL injection correctly and in a more integrated
approach.
DETAILS
Methods to prevent SQL Injection:
1. Input Validation - Development Phrase
2. Static query statement - Development Phrase
3. Least Privilege - Development Phrase
4. Code Verification - QA Phrase
5. Web Application Gateway - Production Phrase
6. SQL Driver Proxy - Production Phrase
7. MISC methods
Input Validation
Some programmers may think escaping apostrophe with two apostrophes (and
back slash with two back slashes for MySQL) is all input validation has to
do.
This is completely WRONG!
A few important steps are missed and probably the program is still
vulnerable to SQL injection.
There are at least four steps we have to do for input validation:
1. Escape apostrophe with two apostrophes (and back slash with two back
slashes for MySQL)
2. Make sure numeric fields really look like numbers
3. Do step 1" and 2" not only on users' direct input, but on all
non-constant variables
4. Check if the inputs are within your expectation (e.g. 0 < age < 120,
login id without space, etc.)
Escape inputs properly:
Escaping apostrophe with two apostrophes (or back slash with two back
slashes for MySQL) usually can be done with one line of code.
However, we have to ensure that the decoding is done in the correct order.
To avoid SQL injection properly, the apostrophe-escaped input should NOT
be further en/decoded by any other coding scheme.
To read more please download the presentation:
<http://www.owasp.org/index.php/Image:Advanced_Topics_on_SQL_Injection_Protection.ppt> http://www.owasp.org/index.php/Image:Advanced_Topics_on_SQL_Injection_Protection.ppt
ADDITIONAL INFORMATION
The information has been provided by <mailto:samng@sunzidigital.com.> Sam
NG.
The original article can be found at:
<http://www.owasp.org/index.php/Image:Advanced_Topics_on_SQL_Injection_Protection.ppt> http://www.owasp.org/index.php/Image:Advanced_Topics_on_SQL_Injection_Protection.ppt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
