Hacking has been in the news a lot recently. Whether it’s in relation to the US elections or the NHS database or Sony Pictures email servers, hacking is constantly the subject of conversation. In this world where hacking is so rife, we need to protect ourselves as best we can. And we can only do that if we know exactly what’s going on. Many hacks take the form of what’s called SQL injection. SQL (Structured Query Language) is a language designed to let you communicate with a relational database. Given the complexity of the modern website, it requires a special content database. These databases can be hacked, however. They can be injected with code—more specifically, with malicious SQL statements—which can lead to sensitive content being dumped to the attacker. If you have a website and aren’t sure how to protect yourself, here are a few tips.
- Use a scanner. Looking for vulnerabilities to SQL injection—such as places where a user is asked for input—requires an audit. Rather than auditing manually, which is extremely laborious and difficult, you’d be well advised to use a special SQL injection scanner through a company such as Checkmarx.
- Lessen input. Input channels are the orifices through which a virus may get in. If you give the database the right commands, then you can get access to special administrative privileges. You’d do well to constrict the input channels to the bare minimum.
- Lessen privileges. In certain extreme cases, wherein delete access is granted to database accounts, the hacker might even delete the whole website. For this reason, you should constrict the privileges to read-write users.
- Encryption. In the event that a hacker does get through to your database, make sure to encrypt data that might be deemed compromising: passwords, financial information, etc.
- PDO Prepared Statements. These are basically placeholder names in the SQL commands section. By running the bind parameters function you will effectively protect yourself against SQL injection.
Well there you go. Those are a few tips to help protect you from SQL injection. If you’re a website-owner using a relational database, you’d do well to follow a few of these procedure. There will always be hackers out there, and though the chances of you being hacked aren’t all that high, you’d still do well to take preventive action. Always account for the worst.