rr How to Prevent SQL Injection Vulnerability? Website Security | The Hackers Store



How to Prevent SQL Injection Vulnerability? Website Security

Hi webmasters and budding Pen Testers, I hope you read my article about SQL Injection . Our Aim is to provide Security, right? So here is...

Hi webmasters and budding Pen Testers, I hope you read my article about SQL Injection. Our Aim is to provide Security, right? So here is the prevention techniques.

Use Prepared Statements:

Use prepared statements, parameterized queries, or stored procedures. Don't use Dynamic SQL.
  • In Java you can use PreparedStatement() with bind variables 
  • In .NET you can use parameterized queries, such as SqlCommand() or OleDbCommand() with bind variables
  • In PHP you can use PDO with strongly typed parameterized queries (using bindParam()).

You can use Stored Procedures also.  Unlike prepared statements, stored procedures are kept in the database. Both require first to define the SQL code, and then to pass parameters.

Use Less Privilege Account:
Use less privilege account for database connections.  That account should not be able to drop the able or create.  Maintain two separate accounts.

Escape user input.

This powerful function rejects the possibility of many clever techniques used by the intruders. php provides escpe string function.  Later we will discuss about the syntax.

Assume magic quotes is always off.

When the magic_quotes_gpc variable is off, this can prevent some (but not all) SQL injection attacks. Magic quotes are not an ultimate defense and what is worse - sometimes they are off and you don't know about it. This is why it is necessary to have code for the substitution of quotes with slashes. Here is :

$username = $_POST['username'];
$password = $_POST['password'];
if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);
if the magic quotes is enabled , the following problem will arise:
  •  Not all data that are supplied by the user are intended for insertion into a database. They may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps into even widely used software.[7]
  •  Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database — protected by magic quotes — and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly.
  • Magic quotes also use the generic functionality provided by PHP's addslashes() function, which is not Unicode aware and still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such as mysql_real_escape_string() or, where possible, prepared queries with bound parameters are preferred.[8][9]
  • While many DBMS support escaping quotes with a backslash, the standard actually calls for using another quote. Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash.
  • Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or the other way round.
  • Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary performance overhead.
  •  Magic quotes do not protect against other common security vulnerabilities such as cross-site scripting attacks or SMTP header injection attacks.

Install patches regularly and timely.

Even if your code doesn't have SQL vulnerabilities, when the database server, the operating system, or the development tools you use have vulnerabilities, this is also risky. This is why you should always install patches, especially SQL vulnerabilities patches, right after they become available.

Use automated test tools for SQL injections.

Even if you follow the above said prevention, there will be some vulnerability.  You may not notice it.  So check the vulnerability of your web application with some kind of SQLi tools.

Try SQL inject Me tool  to test the Vulnerability of your WebSite.

See i just explained theoretically,  I didn't explain with code.  Don't worry, wait for my next post.



0day,4,404,1,Account,1,Acunetix,1,Adobe,1,Android,12,anonymity,3,Antivirus,5,Apk,2,App Store,1,audio,1,backdoor,1,Backtrack Tutorials,6,Binders,1,Blogger,9,blogger templates,1,blogging,1,boot2root,1,Booters,1,Breach,1,Brute Force Cracking,4,bug bounty hunting,3,business,1,c99,1,Cain and Abel Tool,3,Candy Crush Soda Saga,1,CEO,1,clone,5,Command Prompt Hacks,2,computer,1,Computer Tricks,5,cookie,1,Cookie Stealing,2,cookies,1,Corrupt,1,Cpanel Cracking,1,Cpanels,1,cracked apk,1,Cracked PC Game Latest,1,cracking,9,Create Virus,2,Cross site Scripting,3,Crypter,1,Cryptography,1,CTF,1,Cyber News,9,Cyber War,1,darknet,1,Data,1,Database Hacking,4,DDOS,1,DDoS Attack Pack,1,deepweb,2,deface,4,Dictionary Attacks,2,DNN,1,DNS Hacking/Hijacking,2,Domain,3,Dorks,2,Dos/DDos,3,Doxing,2,Drupal,1,Election Commission,1,Email Hacking,14,EVM Hacking,1,Exploits,12,Extratorrents,1,Facebook,31,Facebook Hacks,29,Fake Call,2,Features,1,free,1,Free Minutes,3,Free Recharge,6,Free Softwares,20,Freeze,1,FreeZone,9,Games,7,Gmail Hacks,15,Gold,1,Google Chrome Tricks,4,google dorks,2,Google Play Store,1,Google Tricks,8,Grand Theft Auto 5 {G.T.A V },1,hack cctv camera,1,Hacking,37,hacking Tools,24,Hacking Tricks,28,Hash Codes Cracking,5,Hash Types,1,havij,1,hotmail,2,how to,12,HTML Injection,1,images,1,information gathering,1,Information Security,1,Information Security Event,1,Information Security Summit,1,internet,2,internet hacks,33,Internet security,1,ip hacking,1,javascript,2,Joomla,2,kali,6,Kali Linux,3,Keyloggers,11,Kickass Torrents,1,Latest,1,LinkedIn,1,linux,1,Lucky Patcher,1,lucky patcher cracked,1,lucky patcher cracked latest,1,MAC,1,Make Money,6,Malware Protection,2,MD5 Cracking,1,messages,1,Messenger,1,Metaspolit,4,MMS,1,Mobile Tricks,22,Modded APK,3,Modded quickly,1,Netbios Hacking,1,network security,10,News,3,Notepad Tricks,2,operating system,2,OphCrack,1,OSINT,1,OurMine,1,password Crack,7,PC,1,pentesting,7,pentesting tools,5,Phishing,1,Phising,1,Prank calls,1,RAT,4,RAT's,1,receive,1,reconnaissance,3,redirect,1,remote hacking,3,Rockstar,1,Scanner,2,Security,3,security tips,10,send,1,SEO,3,Sharecash,1,Shell,5,Shell Upload,3,Sms,1,SMS Bomber,1,Social Engineering,2,Spoofing,1,SQL,13,SQL Hacks,10,SQL Injection,2,Stealers,1,Tech News,8,template,5,text,1,tips,1,Torrents,2,tricks,10,twitter,1,video,1,Virusses,1,VLC Media Player Tricks,4,Vulnerability,23,vulnhub,1,Web Application Vulnerability,17,Webcam (Cam),1,website hack,42,WhatsApp,1,WHMCS Hacking,1,Windows Hacks,16,Wordpress,1,writeup,1,XSS,6,yahoo,3,
The Hackers Store: How to Prevent SQL Injection Vulnerability? Website Security
How to Prevent SQL Injection Vulnerability? Website Security
The Hackers Store
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy