Security breaches are an increasing phenomenon.
As more and more databases are made accessible via the Internet and web-based applications, their exposure to security threats will rise.
The objective is to reduce susceptibility to these threats.
Perhaps the most publicized database application vulnerability has been the SQL injection.
SQL injections provide excellent examples for discussing security as they embody one of the most important database security issues, risks inherent to non-validated user input.
SQL injections can happen when SQL statements are dynamically created using user input.
The threat occurs when users enter malicious code that ‘tricks’ the database into executing unintended commands.
The vulnerability occurs primarily because of the features of the SQL language that allow such things as embedding comments using double hyphens (- -), concatenating SQL statements separated by semicolons, and the ability to query metadata from database data dictionaries.
The solution to stopping an SQL injection is input validation.
SQL injections can be prevented by validating user input.
Three approaches are commonly used to address query string validation: using a black list, using a white list, or implementing parameterized queries.
The black list parses the input string comparing each character to a predefined list of non-allowed characters. The disadvantage to using a black list is that many special characters can be legitimate but will be rejected using this approach. The common example is the use of the apostrophe in a last name such as O’Hare.
The white list approach is similar except that each character is compared to a list of allowable characters. The approach is preferred but special considerations have to be made when validating the single quote.
Parameterized queries use internally defined parameters to fill in a previously prepared SQL statement.
The importance of input validation cannot be overstated. It is one of the primary defense mechanisms for preventing database vulnerabilities including SQL injections.