How to protect database from SQL injections? menu

These ads disappear when you log in.

User Tag List

Results 1 to 7 of 7
  1. #1
    Bratislau's Avatar Banned
    Reputation
    1
    Join Date
    Apr 2020
    Posts
    3
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to protect database from SQL injections?

    Hello everyone!
    Say you are to launch some website which deals with huge databases. And you know that one of the most widespread cyber threat which can damage the database privacy is SQL injections. How would you protect your website? What techniques would you use and why? Thank you! I will highly appreciate any assistance

    These ads disappear when you log in.

  2. #2
    Parog's Avatar Kitsune Da-O! M.L.G.
    CoreCoins Purchaser Authenticator enabled
    Reputation
    1526
    Join Date
    May 2007
    Posts
    3,174
    Thanks G/R
    540/264
    Trade Feedback
    19 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sanitize your data inputs and don't use old technology like MySQL. ( Edit: I'm way tired, don't use "deprecated" technologies is what I meant. I was thinking of mysql_query() in PHP as an example. From experience, which isn't a lot to be fair, I loathe PHP, I had an easier time sanitizing with mysqli which has built in functions to help escape some of the characters used in SQL injections. )

    How to Protect Your Website Against SQL Injection Attacks — SitePoint A good read.
    Last edited by Parog; 04-17-2020 at 06:52 PM.
    What's a Parog?
    Looking for competitive Valorant team!

  3. #3
    Sychotix's Avatar Moderator Authenticator enabled
    Reputation
    1241
    Join Date
    Apr 2006
    Posts
    3,497
    Thanks G/R
    209/408
    Trade Feedback
    1 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Parog View Post
    Sanitize your data inputs
    This. Don't think it matters the underlying tech you use if all your inputs going in are legit.

    Never trust input from a user. Also don't forget that any time you are displaying previous user input on the screen, it could be vulnerable to XSS.

  4. Thanks Parog (1 members gave Thanks to Sychotix for this useful post)
  5. #4
    GegeMon's Avatar Member
    Reputation
    1
    Join Date
    Apr 2020
    Posts
    1
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Parog View Post
    Sanitize your data inputs and don't use old technology like MySQL.
    I would add that it is highly recommended to apply different strategies and not to count on some particular one. Say, using parametrized queries, stored procedures, input validation, escaping work at the same time is better than using them separately. For better protection use web app firewall.
    UPD: Check this detailed material about SQL injections How to Prevent SQL Injection: Attacks and Defense Techniques - Tutorial and Best Practices.
    Last edited by GegeMon; 3 Weeks Ago at 09:05 AM. Reason: additional info

  6. #5
    Dupheadss's Avatar Active Member CoreCoins Purchaser
    Reputation
    69
    Join Date
    Aug 2015
    Posts
    118
    Thanks G/R
    25/43
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sanitize all your data inputs, not just those specifically required for your SQL query / Database.

    If I am not mistaken the leading cause of website leaks is currently XXS ( Cross site Scripting ) the concept is similar to SQL injection & just as dangerous.

  7. #6
    Veritable's Avatar OwnedCore News Correspondent
    Reputation
    314
    Join Date
    Apr 2007
    Posts
    372
    Thanks G/R
    52/121
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    On top of sanitizing, you can also use prepared statements instead of just inserting values into the query.

    What not to do:

    Code:
    $action = $dbConnection->query("INSERT INTO MyTable (firstname, lastname, email) VALUES (" . $firstname . ", " . $lastname . ", " . $email . ")");
    For PHP, use your msqli to do the insert, but use ? as a binding parameter in the query.

    Code:
    $action = $dbConnection->prepare("INSERT INTO MyTable (firstname, lastname, email) VALUES (?, ?, ?)");
    $action->bind_param("sss", $firstname, $lastname, $email);
    Prepared statements sanitizes them for injection, but perhaps not for anything on your end (special characters for alternate encoding's for example).

  8. #7
    NitroDragon12's Avatar Site Donator
    Reputation
    1
    Join Date
    May 2020
    Posts
    6
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Use prepared statements as mentioned above and also make sure you prevent XSS Cross site scripting

Similar Threads

  1. [Mangos] How to edit database to add an item from sql ?
    By random_dude in forum WoW EMU Questions & Requests
    Replies: 7
    Last Post: 05-13-2016, 01:47 PM
  2. How to protect yourself from chargebacks?
    By kimmybird in forum Community Chat
    Replies: 2
    Last Post: 02-27-2013, 04:20 AM
  3. [How to] Protect yourself from Phishers.
    By Aldun in forum WoW Scam Prevention
    Replies: 13
    Last Post: 01-10-2011, 11:01 PM
  4. [How to] Protect yourself from Keyloggers!
    By Aldun in forum WoW Scam Prevention
    Replies: 8
    Last Post: 10-08-2009, 03:11 AM
  5. [How to] Protect yourself from ingame scams
    By L'Lawliet in forum WoW Scam Prevention
    Replies: 5
    Last Post: 09-20-2009, 05:39 PM
All times are GMT -5. The time now is 12:02 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search