In our previous article, we explained the dangers of SQL injection, but did not touch on the mitigation techniques to protect your business against this threat. Today we will focus on the mitigation techniques you can employ to reduce the threat of this attack to your business.
Hiding errors – When a user is browsing your website, at no point whatsoever should they encounter a database error. These kinds of errors provide extremely valuable information to attackers including table names, columns, and version numbers. Instead of outputting this information, redirect visitors to a dedicated error page which will take the place of the database error. Do not expose any information here – a great example is the standard “Oops! Something went wrong”.
Filtering – The main objective of SQL injection is to use special characters such as ‘ or “ to escape the current back-end code (e.g. PHP) and append your own command to the end of this to be executed. The main counter to this is to filter all input fields to manage special characters. This can be done via filtering – some providers choose to block special characters, while others will accept them but filter the input to ensure that no additional code can be executed after this.
Prepared statements – even with filtering, an attacker can bypass this using a host of evasive techniques (e.g. encoding inputs or entering characters twice). With prepared statements, an attacker cannot append code to the end of their input, this preventative technique revolves around placing variables in a different location to the code that is executed.
To conclude, there is no single way to eliminate SQL injection, but you can make the process extremely time consuming and difficult for attackers to maximise your resiliency against both automated and manual attacks.