SQL injection attacks are extremely hard to stop at the gateway, as the attacks come from within a genuine application that has been exploited. Customers should review application scripts and ensure they are up to date with the most recent patches, on a regular basis.
Network Box’s advice to companies, in addition to checking up-to-date patches for applications, is to deploy three main methods to prevent such attacks:
- Use ‘parameterised’ SQL statements – put clear parameters into SQL instruction.
- Validate each parameter ID. For example, the ID parameter must be a number, or is restricted to certain terms.
- Use ‘escape’ parameters before insertion to the SQL statement. This ensures the commands inserted by the hacker are treated as a variable rather than a command. So instead of comparing the id with ‘XX’ and then executing ‘truncate table news’, the id is compared with ‘XX; truncate table news’ which is not a legitimate id and is rejected.