Defence in Depth – Part 4 – Validate everything, Parameterize SQL queries

Trust no one, validate everything

Unfortunately, most vulnerabilities at the application layer can’t simply be patched by applying an update. In order to fix web application vulnerabilities, software engineers often need to correct mistakes within the application code. It’s therefore ideal for software engineers to understand the security risks associated with user input. At the end of the day, all user input should be considered unsafe.

By never trusting the user, and validating every input, an application can be built to be more secure and more robust. This applies to any injection vulnerabilities such as SQL injection and cross-site scripting, but it also applies to vulnerabilities that would allow an attacker to bypass authentication, or request a file they should never be allowed to see.

Parameterize SQL queries

While encrypting database tables and restricting access to a database server are valid security measures, building an application to withstand SQL injection attacks is a crucial web application defence strategy.

SQL injection is one of the most widely spread and most damaging web application vulnerabilities. Fortunately, both the programming languages, as well as the RDBMSs themselves have evolved to provide web application developers with a way to safely query the database — parameterized SQL queries.

Parameterized queries are simple to write and understand while forcing a developer to define the entire SQL statement before hand, using placeholders for the actual variables within that statement. A developer would then pass in each parameter to the query after the SQL statement is defined, allowing the database to be able to distinguish between the SQL command and data inputted by a user. If SQL commands are inputted by an attacker, the parameterized query would treat the input as a string as opposed to an SQL command.

Application developers should avoid sanitizing their input by means of escaping or removing special characters (several encoding tricks an attacker could leverage to bypass such protections) and stick to using parameterized queries in order to avoid SQL injection vulnerabilities.


 

Share this post

Leave a Reply

Your email address will not be published.