As a Network Administrator, how can you help to prevent a SQL Injection attack?

Answer 1

*   Review firewall and web server logs for potential threats
*   Prevent particular strings from passing through the firewall
*   Prevent IP traffic from particular web sites
*   Implement technology to scan your public facing web sites for potential issues

Answer 2

Validate any data once it is received. If a user had to input an age, make sure the input is an actual number. If it was a date, make sure the date is in proper format. Again, this will not prevent an SQL injection in itself- it just makes work harder for those trying to exploit an SQL server.

Answer 3

Error messages are useful to an attacker because they give additional information about the database that might not otherwise be available. It is often thought of as being helpful for the application to return an error message to the user if something goes wrong so that if the problem persists they have some useful information to tell the technical support team.

A better solution that does not compromise security would be to display a generic error message that simply states an error has occurred with a unique ID. The unique ID means nothing to the user, but it will be logged along with the actual error diagnostics on the server which the technical support team has access to.

Answer 4

•  Encrypt sensitive data.
•  Access the database using an account with the least privileges necessary.
•Install the database using an account with the least privileges necessary.
•  Ensure that data is valid.
•  Do a code review to check for the possibility of second-order attacks.
•  Use parameterised queries.
•  Use stored procedures.
•  Re-validate data in stored procedures.
•  Ensure that error messages give nothing away about the internal architecture of the application or the database.