Websites that use scripting languages can be vulnerable to different types of attacks. As you work to develop your website, you will want to address protection of your site against attacks. SQL Injection is one of the more common attacks that can be performed on your website or database.

SQL Injection

SQL Injection attack utilizes your sites forms and scripts to exploit vulnerable code so that malicious code can be executed when processed by the web server or SQL Server. There is a large amount of documentation on how your site can be developed to protect it against SQL Injection. Please review the documentation and consider the best practices that they advise:

In many sites, developers use GET and POST variables to create SQL commands that are executed on the server. (GET variables are passed via the URL and POST variables are sent via form submissions.)

Hackers will modify these variables, assigning them values that the developer never intended. Variables in GET or POST have malicious SQL commands which are then added to the intended commands. This malicious code is then run against your SQL Server.

Using this technique, hackers can expose database table names and data by causing your site to error out. For example, when a particular SQL call requires a number and it is passed text characters, the result will show an error. In some cases, the hacker can use SQL injection techniques to discover all of your table names and initiate JavaScript redirects.

 

Javascript Injection

 

Not only can hackers use javascript to manipulate parameters and cookies, but they will also inject javascript into dynamic pages to cause the page to render differently, do something else, or some other malicious thing. Think of a Cross-site Scripting (XSS) attack. The following is an example of how you would set an input tag named email within a form:

 

javascript:void(document.forms[0].email.value="test@test.com");

 

The hacker will view the source code of the html page to determine what needs to be changed and how to change it. The hacker will add a new value for the html tag. This will allow the hacker to modify the information within the html form.

Prevention

Always validate the input received. Do not rely on client side validation to validate the user input. Client side validation is great for helping the user input correct data. But a malicious user will not use this and could bypass the client side validation. Client side validate is should never be considered as a security fix. Using javascript to validate input should not be used. As you can see javascript is very easy to change and modify on any html page.

Additionally validate the input every time, not just when the data is initially accepted. For example if you set a cookie, make sure that cookie is the same value and it is correct on each and every request. A malicious user could modify and change the value anytime during the session.

More Information: