SQL Injection or Insertion Attack
Posted by ASO Admin on 07 February 2020 02:06 PM
|
|
SQL injection is an attack where malicious code is passed to an SQL Server for execution. The attack can result in unauthorized access to confidential data, or destruction of critical data. SQL injection attacks should only be a concern for PHP developers and the like. If you are using a database driven program like WordPress, Joomla or OSCommerce, then all you need to do is upgrade your programs to the latest version available. Prevent SQL InjectionEscapingOne way to prevent injections is to escape dangerous characters like a backslash, apostrophe orsemicolon. In PHP, it is typical to escape the input using the function 'mysql_real_escape_string' before sending the SQL query.
Parameterized StatementsA parameterized query uses placeholders for the input, and the parameter values are supplied at execution time.
AdvancedIn PHP version 5 and above, there are multiple choices for using parameterized statements; the PDO database layer is one of them. There are also vendor-specific methods; for example, MySQL 4.1 + used with the mysqli extension. Additional PrecautionsScanning for VulnerabilitiesWe now offer SiteLock on select hosting plans, which performs forward and backward-looking scans to make sure current and future visitor/customer data is secure on your website. For SiteLock subscribers, our patent-pending 360-degree scan technology tests each input box on your website to ensure that they are not vulnerable to this type of attack. We verify the safety of each input box on your website by inserting code in the way hackers would. We do not read or collect any data though. We use safe test procedures and code and if we discover a vulnerability in our testing, we report it to you. Find out more about Sitelock in our Knowledgebase. | |
|