SQL Injection and Security

A few more details than in Section 9.5 of the zyBook

Database Security 101

Example Threats

• Data breaches
• SQL injection
• Denial of service
• Insider threats
• Other vulnerabilities

Example Controls

• Permissions (users/groups)
• Views (for limiting access)
• Encryption (e.g., passwords)
• Fault tolerance (hot standby)
• Logging, monitoring, auditing

Exploits of a Mom

https://xkcd.com/327/

Traffic Cameras

https://danielmiessler.com/p/a-fantasy-explanation-of-standard-vs-blind-sql-injection/

Other Examples

Hello, my name is: ' OR '1' = '1

SELECT * FROM users�WHERE name = '' OR '1' = '1';

Or, my password is: ' OR 1 = 1; --

SELECT * FROM users�WHERE name = '' OR 1 = 1; --';

Little Bobby Tables: '; DROP TABLE users; --

SELECT * FROM users�WHERE name = ''; DROP TABLE users; --';

NEVER CONCATENATE USER INPUT!

​

sql = "SELECT * FROM users\n" \

f"WHERE name = '{userName}';"

What can SQL injection do?

Add or modify data

• Denial of service
• Privilege escalation

Bypass authentication

• Evading detection
• Execute remote commands

Extract data

• Identify injectable parameters
• Infer/leak sensitive information

Examples:�https://en.wikipedia.org/wiki/SQL_injection

​

How to prevent attacks

Your application should:

• Make no assumptions about user input
• Validate all user input from the request
• Use parameter substitution
• Use SQL functions, views

Your user account should:

• Have minimal privileges
• Create application-specific user accounts
• Never use admin account for applications!

Your db server should:

• Be separate from your web/app servers
• Install security patches when released