What is SQL Injection (SQLi)?

Everyone knows that with the advancement of technology security is the basic and important feature for every business and social media platform. Almost every business relay on their business data, this data store in the databases. So SQL provides techniques to save your data from hackers. We can prevent our web site data from hackers using different techniques. Similarly, SQL injection is a hacking technique. Hackers can access your data, also they can crash your servers through injecting some code in your databases. This method is made feasible because of improper coding of inclined web packages. Some new developer do not check the emptiness of data field and empty field are the cause of SQL injection.

► Play

Prevent SQL Injection through Parameterized Queries

This approach consists of the usage of prepared statements with the question mark placeholder (“?”) in our queries each time we need to insert a consumer-provided fee. This is very eÜective and, unless there’s a worm inside the JDBC motive force’s implementation, immune to exploits.

► Play

A simple example code for this technique is:

public List < AccountDTO > safeFindAccountsByCustomerId( String customerId )

throws Exception {

String sql = ‘ select ‘ + ‘ customer_id, acc_number, branch_id, balance from Accounts ‘ + ‘ where customer_id = ? ‘ ;

Connection c = dataSource.getConnection( ) ;

PreparedStatement p = c.prepareStatement( sql ) ;

p.setString( 1 , customerId ) ;

ResultSet rs = p.executeQuery( sql ) ) ;

// omitted – process rows and return an account list

}

In the above code prepareStatement() method available in the Connection example to get a PreparedStatement. This permits us to soundly insert person-provided values in a question before executing it.

The Use of PDO Prepared Queries

Use PDO and prepared queries.

($conn is a PDO object)

$stmt = $conn -> prepare (‘ INSERT INTO tbl VALUES ( :Id , :name ) ‘ ) ;

$stmt -> bindValue ( ‘ :id ‘ , $id ) ;

$stmt -> bindValue(‘ :name ‘ , $name ) ;             

$stmt -> execute( ) ;

Prepared statements are resilient towards SQL injection, due to the fact parameter values, which are transmitted later the use of a one-of-a-kind protocol, need now not be successfully escaped. If the original declaration template is not derived from outside enter, SQL injection cannot arise.

► Play

Prevent through Object Relational Mapping (ORM) in Ruby Framework

Many development teams choose to use Object Relational Mapping (ORM) frameworks to make the translation of SQL result units into code objects extra seamless. ORM tools often suggest developers rarely ought to write SQL statements of their code – and these tools happily use parameterized statements under the hood.

► Play

def current_user(email)

# The ‘User’ object is an Active Record object that has to find methods

# automagically generated by Rails.

User.find_by_email (email)

End

The above code will save you from SQL injections or hacker attacks.

Encrypted Database

Another simple method to prevent your SQL database from injections is Encrypted Database or data. So usually save your database credentials in a separate report and encrypt it securely to ensure that the attackers can’t benefit plenty.

Send us a feedback0/500

Do you like this article?
Yes
No