Take action against the increase in SQL injection attacks
Posted on 21 July 2009.
A steady increase in the number of SQL injection attacks means that companies should review their applications for vulnerabilities, and ensure vulnerabilities are patched. Network Box has issued advice to customers on protecting against SQL injection attacks to customers who operate public web servers to exercise caution, particularly those accessible over the Internet.


SQL injection attacks are extremely hard to stop at the gateway, as the attacks come from within a genuine application that has been exploited. Customers should review application scripts and ensure they are up to date with the most recent patches, on a regular basis.

Network Box’s advice to companies, in addition to checking up-to-date patches for applications, is to deploy three main methods to prevent such attacks:
  • Use ‘parameterised’ SQL statements – put clear parameters into SQL instruction.
  • Validate each parameter ID. For example, the ID parameter must be a number, or is restricted to certain terms.
  • Use ‘escape’ parameters before insertion to the SQL statement. This ensures the commands inserted by the hacker are treated as a variable rather than a command. So instead of comparing the id with ‘XX’ and then executing ‘truncate table news’, the id is compared with ‘XX; truncate table news’ which is not a legitimate id and is rejected.





Spotlight

Using Hollywood to improve your security program

Posted on 29 July 2014.  |  Tripwire CTO Dwayne Melancon spends a lot of time on airplanes, and ends up watching a lot of movies. Some of his favorite movies are adventures, spy stuff, and cunning heist movies. A lot of these movies provide great lessons that we can apply to information security.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //