Hello There,
Thank you for taking the time to read the write — up! I appreciate it!
Today’s content is going to be on understanding ‘SQL Injection’
The content is completely based on my personal experiences & knowledge, interactions with incredible people in the App Sec and Software Development space, and a lot of reading and secure coding.
In this article, I’ll try to simplify the content in basics. I’m sure that readers will have their own thoughts and comments, and I welcome any feedback & discussion.
Views / Comments / Opinions are my own and not of my past / current employer.
Let’s learn together!
What is SQL Injection?
A type of application security attack where a malicious actor inserts malicious SQL code into a vulnerable input field in order to access and manipulate data within a database. SQLi allows the attacker to view / modify / delete data in a database.
How to fix SQLi?
Do not concatenate SQL queries and input values.
Always perform input validation ( my personal opinion, it actually deters a lot of malicious signatures )and then follow one of the underneath strategies to fix SQLi -
- Parameterized Queries: Pass input values as parameters to sql statements. This is attained by using parameterized queries. This prevents malicious inputs from being executed as SQL code.
- Stored Procedures: It is much better to not having SQL sql queries within the code and moving them to a DB via stored procedures.
Code Sample:
Parameterized Queries:
In the underneath code sample, the name and pass are passed in as parameters to the sql statement via ‘setString()’ . It is a method of PreparedStatement.
....
// simple basic example
// assume name and pass are obtained from some input
// conn is the connection
String sqlStatement = "SELECT * FROM userdetails WHERE name = ? AND pass = ?";
PreparedStatement stmt = conn.prepareStatement(sqlStatement);
stmt.setString(1, name);
stmt.setString(2, pass);
ResultSet rs = stmt.executeQuery();
// carry on with your logic
....
Stored Procedures:
In the underneath code sample, ‘name’ and ‘location’ are passed in as parameters to the stored procedure ‘userDetails’ via ‘setString()’. It is a method of CallableStatement. The output is received via the parameter ‘output’ which utilizes ‘registerOutParameter’. It is another method of CallableStatement.
....
// simple basic example
// Assume name and location are obtained from some input
// conn is the connection
CallableStatement stmt = conn.prepareCall("{ call userdetails(?,?,?) }");
stmt.setString(1, name);
stmt.setString(2, location);
stmt.registerOutParameter(3, java.sql.Types.INTEGER);
stmt.execute();
int output = stmt.getInt(3);
// carry on with your logic...
....In my next post, I will touch upon XSS.
Comments / Feedback are always welcomed as I am always looking to improve the content and be better at it.
Source write-up: My own experience in App Sec, paraphrasing the content from multiple online websites, Open AI, DALL-E, Developer and NLP tools.
Thank you!
Add me up on LinkedIn
