Take action against the increase in SQL injection attacks
Posted on 21 July 2009.
A steady increase in the number of SQL injection attacks means that companies should review their applications for vulnerabilities, and ensure vulnerabilities are patched. Network Box has issued advice to customers on protecting against SQL injection attacks to customers who operate public web servers to exercise caution, particularly those accessible over the Internet.

SQL injection attacks are extremely hard to stop at the gateway, as the attacks come from within a genuine application that has been exploited. Customers should review application scripts and ensure they are up to date with the most recent patches, on a regular basis.

Network Box’s advice to companies, in addition to checking up-to-date patches for applications, is to deploy three main methods to prevent such attacks:
  • Use ‘parameterised’ SQL statements – put clear parameters into SQL instruction.
  • Validate each parameter ID. For example, the ID parameter must be a number, or is restricted to certain terms.
  • Use ‘escape’ parameters before insertion to the SQL statement. This ensures the commands inserted by the hacker are treated as a variable rather than a command. So instead of comparing the id with ‘XX’ and then executing ‘truncate table news’, the id is compared with ‘XX; truncate table news’ which is not a legitimate id and is rejected.


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th