10 Steps to Protect your Websites from SQL Injection Attacks

Data theft has become so common that the price of a stolen credit card number in the black market has fallen from $10 in 2006 to a few pennies in 2009. Consumers are losing confidence in ecommerce, online banking and other electronic means of doing business. Meanwhile, attackers are devising even more clever ways to steal data and increasing numbers of companies are falling prey to those techniques. Legal and compliance requirements are getting stricter to protect the consumer, but still new incidents are on the rise in 2009. In a recent Verizon Business Data Breach Investigations Report1, studying over 600 incidents in the past five years, SQL Injection was identified as the single largest attack vector responsible for data theft

This finding is not surprising. Given the way Web applications are designed, it is very common for SQL injection attacks to occur without a company’s knowledge. Often, it is only when the credit card companies such as VISA and American Express notify the victimized company, that they learn about the hack and by then, it’s too late.

SQL injection attacks have the potential to cause significant and costly damage to an organization. They are targeted at the database, which stores sensitive information including employee and customer data. This type of attack exploits vulnerabilities in your application and manipulates the SQL queries in the application via input from the Web browser.

In a SQL injection attack, a malicious user can send arbitrary input to the server and trick the Web application into generating a different SQL statement than was originally intended. As a result, the SQL, when executed, fetches a different set of results from the database than the application would have originally requested. SQL injection attacks are most frequently used to gain unauthorized access to, or manipulate the data residing in, the database on the server.

Much has already been written about how SQL injection attacks are performed. The focus here is to prevent the attacks in the first place. Following are 10 steps that both developers and database administrators can take to prevent applications from being vulnerable to SQL injection attacks.