An explanation of SQL (Structure Query Language) Injections

SQL Injection – How they happen

Like any other attack this is what happens when a hacker is trying to gain access to a database. This is when a hacker with the use of a query tries to gain access to the database. Essentially what the hacker is trying to do is guess how a query in this database is written and how the database schema must be designed. This would mean trying to figure out under what table things are organised and what tables are in the database in the first place. If one knows the structure of the tables and their attributes they may be able to get into the database and access information that should not be able to do like user’s passwords and email address or even debit/credit card details. A hacker may even remove the need for any password at all. 

 

Using different HTTP requests and SQL queries a hacker can zero in on where and how the database is vulnerable. A search box is a useful tool to hack a database as when a user makes a search query the database is automatically generating a SQL query and the code that is required. Essentially the search box works as a way into the backend of a database that we would only want certain members of our staff to be able to access. Some other hacks could be to alter information like removing products, decreasing prices or cancelling order. 

 

 

SQL Injection – How to prevent them

It is a good policy to assume that any input from the outside by a customer or a client is potentially dangerous. The first step is accepting that hacks can happen. We can pre-prepare our queries so that they are consistent. Also, we should use language that is not very obvious when possible. This is because the more benign a piece of SQL code is the easier it is for a hacker to embed some code that a program will then go a follow. Methods such as this and more are seen as ways of sanitising the database and finding ways of cleaning it of bugs and hackers. 

 

Entities are easy to predict in a database. We know any company who sells goods online will have a product table, and a customer table and so on. But what is harder to predict is the name assigned to different queries. These shhould be hard to guess. For example, is we want to see a person in a customer table, the query should not be called something like “Look_Up_Customer.” This is to obvious and easy for a hacker to piggyback on. Having a deep control over syntax used in code is the most straight forward method of protecting against SQL injections. 

 

Authentication Errors

This is when a hacker tries to get into account, often a customer’s account by figuring out their login credentials. They do this by figuring out their password and email address or username. There are a number of ways to stop such attacks or at least make such details harder to guess. 

 

How to prevent it

Two factor authentications. This is when users are asked to login say on their laptop but confirm the login on another device or by clicking on a link in their email address or submitting a six-digit number. This means that even if a hacker guesses your username and password they might not be able to get into your device without having your mobile phone to hand.

 

Secondly a firm can inforce strict password controls. For example, passwords must be at least 8 characters, they can’t spell a popular word like dog, they must have at least one special character like %, they must have a capital letter, and it can’t be the same or similar to an old password used. Such rules make a password much harder to predict. Finally, many firms insist that their employees change their passwords every few months. Banks (and I assume crypto currency websites) put in extra passwords known as a PAC which are 4-6 digits that must be imputed in a different order each time a user logs in to prevent someone from studying the key taps on a device and getting the extra code.  

 

While annoying if you get the “incorrect password/email” error message, if you spend 2-3 tries retyping in your password only to realise your email was wrong because you assume you typed the email address in correctly. This is important as it gives the hacker no insight into the what is wrong. 

 

Finally, we have the use of captcha where a user is prompted to click on for example, all the cars in the 9 images put on screen. This requires human input and makes it harder for automatic password generators to get into an account. 


 

Summary

This piece has explained two types of attacks that we learned in class. It has also provided ways in which both can be prevented so that they do not even occur in the first place and finally what to do if they do happen. 

Comments

Post a Comment

Popular posts from this blog

COVID-19 is an opportunity to work from home and to reimagine the everyday

Motivation The late Zig Ziggler often spoke about the "I've had it" moment. This is when someone an individual's frustration with their life reaches its boiling point. The moment that individual decides I need to change something, I need to better myself. We as a society have reached that revelling moment in terms of how we live every day. What I am referring to is is how we live. The reality for many people in recent years is the following;  While you read this, I am sure you can think of someone who has retired early because they have paid off their mortgage. Whether we are going to work or school, most people leave around 7:30 am and many of us don't get home again until 19:00 or even 20:00 in the evening. We do this to afford a home that we are never in to enjoy. Wheater you are paying rent or you have a mortgage, the place in which you live is the most expensive outgoing for almost everyone, but we are never there to use it. When one takes a step back and thi
Read more

Studies of ‘Kenneth Arrow’s 1963 paper entitled “Uncertainty and the Welfare Economics of Medical Care”

  ‘Kenneth Arrow’s 1963 paper entitled “Uncertainty and the Welfare Economics of Medical Care” identifies the unique characteristics of the health care market and health care commodities. He states that “the list is not exhaustive, and it is not claimed that the characteristics listed are individually unique to this market. But, taken together, they do establish a special place for medical care in economic analysis”. Discuss this statement-making use of applied examples and references where appropriate’.   The American entrepreneur and motivational speaker Jim Rohn once said “Take care of your body it is the only place you have to live” No matter what way one looks at health and health care their importance is infinite. This quote shows the importance of studying healthcare from every perspective. Economically included. When Kenneth Arrow wrote his paper “Welfare Economics of Medical Care” he was correct that the healthcare system as a market brings with it many unique features or char
Read more

Is University worth it?

Introduction Education is something that is important to all of us. Whether you’re somebody who didn’t finish high school or somebody who did go to University and not only got their bachelor but masters and PhD as well. Our time in education plays a massive role in how we see ourselves, our careers and much of the world around us. It is education where we got some of our first experiences of friendship and love as well as confusion and worry about our future. In this piece, I am going to speak about my own experiences in University and discuss both the pros and cons of attending an institution that can be seen as the most important decision in many people’s lives. Finally, I will finish with a conclusion.    Personal Story First of all, I have never been and I will likely never be an "A student." For the most part, I am a straight “C” student (55% to 70% ).  In secondary school (6 years between the ages of 12 and 18 in Ireland) I received maybe, 5 As (85% or higher). All of w
Read more