Simple SQL Injection Example – Review Security and Remediate

Something I regularly do, is review security against attacks and remediate if required.

This example is a simple SQL injection attack.

There is a few things in addition to code which can either prevent, log or alert this activity. Some examples listed below

  • Restrict special characters in usernames ( this wouldn’t pass the “*” )
  • Software Firewalls should block SQL injection ( This blocks the Select statements )
  • ATP (Advanced Threat Protection) monitoring access to the SQL database will alert also. (This can either log or block the traffic)

Example: Web Site – SQL injection in the username of a web portal

Username: “Select * From table 1”

Password : Blank

Result

Access Denied. Potential loophole is blocked.

Reason

One of the many firewall rules in place blocks SQL injection and the platform restricts special characters being used as usernames.