Page tree
Skip to end of metadata
Go to start of metadata

Security Assessment

Risk Probability Impact
9.1 3.9 5.2
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Vulnerability Information

A SQL injection allows an attacker to run arbitrary SQL code in the database which may allow him to retrieve, change or delete data from the database. In some cases even the total control of the server which runs the database is possible.

Table of Contents

Further Reading

Guides

To prevent SQL injection attacks treat all user input as potentially malicious and follow some programming guidelines:


Filter User Input

For an attacker to successfully execute an SQL injection, he needs to plant some code that is run by the web application's database. Therefore all user input should be validated first and limited to the needed characters. E.g. you may ask a user to input a username, password and e-mail address in a registration form. You can limit the allowed characters of these input fields to characters that do not interfere with the database. The following example filters out user input for the three values in PHP:

if (preg_match("/[^A-Za-z0-9]/", $username) ||
  (preg_match("/[^A-Za-z0-9\!_-]/", $password) ||
  (preg_match("/[^A-Za-z0-9_-@]/", $email)) {
    echo "Invalid Characters!";
} else {
	# Run Database Command
}



Database Mappers

Most modern web frameworks provide some abstraction of the database handling. E.g. Laravel provides Eloquent queries. Created objects are automatically converted and stored or retrieved from the database. In the example of the user registration form, one could create the user object in the following way:

$user = new User;
$user->username = $request->username;
$user->password = $request->password;
$user->email = $request->email;
$user->save();

The resulting SQL statement is automatically sanitized and will prevent SQL injections.


Sanitize User Input / Prepared Statements

It may not always be possible to use a database mapper. In these cases use prepared statements to create your SQL queries. These form of statements validate and sanitize the user provided values and therefore prevent SQL injections. E.g. in PHP you can create a prepared statement the following way:

$stmt = $mysqli->prepare("INSERT INTO users(username, password, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $username, $password, $email) # "sss" here states, that three strings are expected.
$username = $request->username;
$password = $request->password;
$email = $request->email;
$stmt->execute();




Contribute

You are facing an issue that is not covered in our guides, we are happy to include solutions here. Please send us an e-mail to support@crashtest-security.com.

Crashtest Security

Crashtest Security is a Munich, Germany based start-up that redefines web application vulnerability scans.  The Crashtest Security Suite is differentiating itself as a fully automated vulnerability scanner enhanced with artificial intelligence developed for the needs of the agile developer or SecDevOps. Clear vulnerability insights are provided as well as contextual actionable insights for risk mitigation. 



For more information visit https://crashtest-security.com

  • No labels