This is an article I came across on Ben Forta's blog. This gives some very good tips on preventing SQL injection attacks and provides some excellent best practices.
http://www.adobe.com/devnet/coldfusion/articles/sql_injection.html
When I took up my current position we had to do a vulnerability scan to become PCI compliant and well we originally failed horribly. After much work we got it compliant and fixed all of the security holes identified. The article above gives some ColdFusion specific items but also defines some techniques that can be applied to other languages. A few things that are of note are:
- Database user privileges
- Use of stored procedures
- Use of dynamic table names
These three points are usually overlooked by the average developer and should really be implemented.
Database User Access:
Only give the user the minimum rights required to perform the task. So if your user only needs to perform select and update operations they should not have delete, create or other rights.
Stored Procedures:
Stored procedures provide a very good way to abstract and hide database logic from your code. This is a problem with many of the frameworks that use Active Record patterns like Rails and CakePHP or ORM systems like Reactor in ColdFusion but stored procedures can provide significant performance improvements as well as having security benefits.
Dynamic Table Names:
By prefixing your database tables with a custom string, you can build queries that use a dynamic string for accessing the table information instead of hardcoding the table name. This is another good idea since many systems use generic table names like users, categories, groups etc which can be easily guessed.
It is very important to analyse every section of code and perform a security audit ensuring that all forms are protected since this is the first place that attackers target.
Pingback: Web data security paranoia | The Thinking Lemur