(two of two articles)
This article is a little more technical than the first article, but I kept it as simple-worded as possible.
Is your website vulnerable? Very possible. You could do a few quick checks, but explaining how to write SQL Injection code is out of the scope of this blog. Websites written using Classic ASP language, PHP, AJAX, and other website languages are vulnerable, but that doesn't leave .NET websites in the clear. Any website that gives full access to the SQL database is vulnerable. That gives the hacker full range at manipulating the information in your database.
So, what are some ways to protect against SQL Injection?
Below are some recommendations on how to protect your database from SQL Injection Attacks. They should all be done, but some can be done independently or not at all.
- One way is to take an inventory of all dynamically driven pages. If it uses or talks to a database, it could be vulnerable. More investigation in the programming would identify if it is the extent of it vulnerability. There are some inexpensive automated tools out there that will identify the holes you may have in your website. For example Acunetix Web Vulnerability Scanner has a free version.
- Validate all data that gets passed to the database. For example, if the web page expects an integer data type, check to make sure a hacker is not trying to pass in a line of hacking code and only accept an integer value.
- Eliminate any inline SQL that is used on these pages and change them to parameter based stored procedures. When you use a stored procedure to talk to the database and use parameter objects, the data that gets passed to the database must be the right type. Stored procedures by themselves are not the answer alone.
- Limit the website login to the database to only run the stored procedures needed for the website. DO NOT give the website "dbo" access to the database.
- One way for hackers to grab the sensitive information is by viewing any errors from the website that their hacking attempts display. It is a way to grab sensitive data, like credit card number. Use a server 500 redirect page to redirect and SQL errors returned so they are not shown to the hacker.
- A recent widespread attack across the glob used access to the sys objects in the database to break in. So, deny access to the sys objects in the database to the web user.
- Never store sensitive information in clear-text within a database. Encrypt your sensitive passwords, credit card data, social security numbers, and other private information.
There are more advanced articles that explain these techniques and explain some of the terms used above in more detail. But I wanted to keep this article simple and to the point.
You can read more at ScottGu's Blog Tip/Trick: Guard Against SQL Injection Attacks