Take action against the increase in SQL injection attacks
Posted on 21 July 2009.
A steady increase in the number of SQL injection attacks means that companies should review their applications for vulnerabilities, and ensure vulnerabilities are patched. Network Box has issued advice to customers on protecting against SQL injection attacks to customers who operate public web servers to exercise caution, particularly those accessible over the Internet.


SQL injection attacks are extremely hard to stop at the gateway, as the attacks come from within a genuine application that has been exploited. Customers should review application scripts and ensure they are up to date with the most recent patches, on a regular basis.

Network Box’s advice to companies, in addition to checking up-to-date patches for applications, is to deploy three main methods to prevent such attacks:
  • Use ‘parameterised’ SQL statements – put clear parameters into SQL instruction.
  • Validate each parameter ID. For example, the ID parameter must be a number, or is restricted to certain terms.
  • Use ‘escape’ parameters before insertion to the SQL statement. This ensures the commands inserted by the hacker are treated as a variable rather than a command. So instead of comparing the id with ‘XX’ and then executing ‘truncate table news’, the id is compared with ‘XX; truncate table news’ which is not a legitimate id and is rejected.





Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //