ISSC431 Central Texas College SQL Injection Attack Discussion

Hello,

I need two responses of at least 150 words each for the below students discussions for this week. Also in the bold below are the questions the students at answering.

For this assignment, answer the following:

  • What steps would you take to prevent an SQL injection attack?
  • What are advantages and disadvantages of dynamic SQL statements?
  • What types of databases are more vulnerable to SQL injections?

Student one:

Week 6 Forum

A hacking technique that was discovered 15-20 years ago has been proven today still to have a very devastating effect and is top priority for database security. SQL is a command control language associated with relational databases as Microsoft SQL, MySQL and Oracle. The first preventative measurements taken is the establishments to understanding which or any of your current applications are vulnerable to SQL injections. I feel the best way is to attack yourself to see if you are successful. However, the complexity to SQL language, there isn’t a trivial task in constructing snippet codes used to inject into a SQL query attempting to hack the database.

The disadvantages of dynamic SQL statements are loss in performance, queries are unable to be cached, debugging is hard, unreliable error management, no way to validate code dynamically, unable to use temporary tables, difficulties in the maintenance because schemas are hard coded within the dynamic code, and ease of security being compromised with SQL injections. Therefore, I recommend you trying to avoid as much as you can with using dynamic SQL.

Databases such as SQL, MS SQL Server, MySQL, Access, and Oracle are subject to SQL injections. SQL injections is very common in web applications used in a web site. Weaknesses in the database not properly written code, hacking tools are used to take over these applications to compromise. Therefore, SQL itself is vulnerable to SQL injections because it’s not within the database engine, however the source is within the back-end database.

Are databases with no proper Input validation, vulnerable to SQL Injection?

-Keenan

Student two:

What steps would you take to prevent an SQL injection attack?

There are a number of steps that can be taken to prevent a successful SQL injection attack. These measures include the following:

  • Bond Parameters – These parameters bind with the user query. This bond essentially becomes a protective shell around the user query so that the query is treated as strictly data by the database, rather than a command or script.
  • Data Sanitization – This preventative measure will block specific words or characters and filtering bad key words out while allowing good key words to be used in the database query.
  • Database Restriction and Segregation – This preventative measure uses least privilege principles to ensure that users and accounts don’t have more privileges that they need to, which can open up a risk to a SQL injection.
  • Database Design with Security in Mind – This preventative measure implements security before the database is created. This involves considering database location, external threat vectors, externally available information, naming conventions, etc.
  • Monitoring – This preventative measure ensures that if an injection attack hits the database, that the administrators will receive an alert so they can take corrective action, or corrective action can be applied automatically.

(Basta, Zgola, & Bullaboy, 2012)

What are advantages and disadvantages of dynamic SQL statements?

Dynamic SQL statements are helpful because it allows the user to build the query themselves without having to know the SQL language. This means it’s more customizable from the end user perspective. However, the big disadvantage with dynamic SQL statements is that they are highly susceptible to SQL injections. Preventative measures can be taken to help outweigh this risk (see above), but this is a huge risk and most database administrators will avoid using these dynamic statements. Additionally dynamic statements often require complex code to operate, which can get messy and hard to maintain as the system grows. (Oracle dynamic, n.d.)

What types of databases are more vulnerable to SQL injections?

Lots of databases accept the SQL language and it is not just limited to SQL only databases. Oracle and others are also susceptible. However, since SQL injections usually originate from web pages and web forms, any database that receives input from a web page will be vulnerable to SQL injections. (SQL Injection, n.d.)

References

Basta, A., Zgola, M., & Bullaboy, D. (2012). Database security. Boston, MA: Course Technology/Cengage Learning.

Oracle Dynamic SQL. (n.d.). Retrieved June 12, 2019, from https://docs.oracle.com/cd/A87861_01/NT817EE/appdev.817/a76942/pc_13dyn.htm

SQL Injection Defense for Databases and Networks. (n.d.). Retrieved June 12, 2019, from https://www.beyondsecurity.com/about-sql-injection.html

-Leah