Take action against the increase in SQL injection attacks
Posted on 21 July 2009.
A steady increase in the number of SQL injection attacks means that companies should review their applications for vulnerabilities, and ensure vulnerabilities are patched. Network Box has issued advice to customers on protecting against SQL injection attacks to customers who operate public web servers to exercise caution, particularly those accessible over the Internet.

SQL injection attacks are extremely hard to stop at the gateway, as the attacks come from within a genuine application that has been exploited. Customers should review application scripts and ensure they are up to date with the most recent patches, on a regular basis.

Network Box’s advice to companies, in addition to checking up-to-date patches for applications, is to deploy three main methods to prevent such attacks:
  • Use ‘parameterised’ SQL statements – put clear parameters into SQL instruction.
  • Validate each parameter ID. For example, the ID parameter must be a number, or is restricted to certain terms.
  • Use ‘escape’ parameters before insertion to the SQL statement. This ensures the commands inserted by the hacker are treated as a variable rather than a command. So instead of comparing the id with ‘XX’ and then executing ‘truncate table news’, the id is compared with ‘XX; truncate table news’ which is not a legitimate id and is rejected.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th