A(n) SQL injection vulnerability was recently discovered on your site. Why should you care and what should you do?
First, what exactly is SQL injection?
SQL injection is a form of attack in which malicious SQL statements are inserted into a web page form field and executed. Web pages/applications vulnerable to SQL injection essentially place their entire databases at risk.
Consider this (fairly common) scenario:
- An attacker crafts a malicious SQL statement and issues it from a vulnerable input on your website.
- The attacker manages to receive key information from the database, such as personal or financial information, sensitive user info, and passwords.
- The attacker also makes changes to the database, making him or herself an administrator of the site, and then does other nefarious things such as (but not limited to) deleting records, installing malware, etc.
It can feel like a waste of time to drop what you’re working on now and spend time fixing old code. But, the benefit is in minimizing the likelihood your site/application will be used to defraud people or otherwise cause harm.
What causes a(n) SQL injection vulnerability?
The most common cause is the programmer practice of simply concatenating unsanitized user input with other strings to form the SQL queries issued to the database.
Additionally, outputting detailed database error messages often provides an attacker with clues needed to create an effective SQL injection attack.
What can I do to fix it?
- Use prepared statements (also known as parameterized queries) rather than simple string concatenation when building your SQL queries.
- Never trust user input. In other words, all user input should be sanitized at both the client and server so that potentially dangerous characters, text, or code is removed (or rendered benign) through the use of escaping, filtering, and validating. There are libraries to help with this on every platform.
- Avoid outputting verbose error messages, which can provide an attacker with valuable clues as to how best to exploit a(n) SQL injection vulnerability.
The following resources are a great place to gain a deeper understanding of SQL injection as well as the techniques used to mitigate it.
Resources
- A guide to SQL injection, by PortSwigger Web Security (includes hands-on labs, which require sign-in)
- SQL CheatSheet, from OWASP
- How to write secure PHP code, by WordFence
The Office of Information Security teaches hands-on secure coding workshops for web developers, which include understanding and mitigating SQL injection attacks. If you or your team is interested, please contact Pete Graff at pgraff@uw.edu.