If you are an online business or website owner, then you should already be well acquainted with the need for active website security to protect your website from hackers. One of the most common and most dangerous kinds of website attacks are the result of a hacking technique which involves manipulating your websites mySQL database servers remotely. These attacks are known as mySQL injections and are some of the most dangerous types of attacks especially for larger businesses who host a lot of sensitive customer information.
Many high-profile website hacks have happened in the past including to large organizations such as the Wall Street Journal and even the US government. In this article we’ll go into some of the most common SQL injection techniques and how to secure your website against them.
The anatomy of a basic mySQL injection
An obvious example of a mySQL injection would be one used to access the private website dashboard of a PHP based website running a CMS such as WordPress.
When logging in, the data from the login form is sent to the web server for processing using the code written to handle logging in to the website. Vulnerabilities occur when users use the input methods available (for example a form) to trick the server into running code not as initially intended. As an example take the following code used by Sitepoint to highlight this issue:
$sql_command = "select * from users where username = '" . $_POST['username']; $sql_command .= "' AND password = '" . $_POST['password'] . "'";
When inputting a normal username or password, the code will run fine and will either return a successful login or an error message. But what if a malicious attacker tries something else?
Using the login in the above image will cause the output to look like this:
SELECT * FROM users WHERE username='john' OR 1=1; -- ' AND password='123456'
The code now has the part of the code which checks the password commenting out and will cause the server to return a non-empty dataset. Malicious attacks like this can be used to bypass a websites login screen without having permission.
As scary as this might sound, this is only the tip of the iceberg compared to the extent to which a qualified hacker can use mySQL to reak havoc on websites and online applications by stealing important information or worse.
How to protect WordPress from mySQL injections without coding
If you are a website owner with limited coding experience running a popular CMS such as WordPress, your ability to prevent mySQL injections on your website will be limited primarily to finding the right website host and website developers who understand and value the need for secure coding practices and web hosting practices in order to prevent your site from being compromised. The following are popular WordPress plugins that offer varying levels of security against mySQL injections:
We recommend that one of these plugins be installed on your WordPress website at all times and that you speak to your website host and website developers to ensure they are up to date with the most recent techniques used to prevent mySQL attacks on WordPress websites.
How to prevent mySQL injections as a developer
If are a developer, then your job is a lot more difficult than simply installing a WordPress plugin, especially if you are working with custom applications that deal with sensitive user data. Below are the top ten coding and testing best practices to follow for securing any website or online application.
1. Use prepared mySQL statements with parameterized queries or use stored procedures
One of the most robust and fundamental techniques for avoiding mySQL injection vulnerabilities from the ground up, writing database queries as parameterized queries instead of dynamic queries is the first place to start. This style of coding allows mySQL to tell the difference between the code itself and inputted data, regardless of what input is being supplied. Here is an example for doing this in PHP. Its important to learn how to do this for whatever language you might be using before taking any applications live. An alternative to parametrized queries, stored procedures allow developers to achieve the same effect by defining code which is stored in the mySQL database itself so it can’t be modified maliciously.
2. Implement client-side input validation
On a basic level, all input to a website should be validated before being passed onto your server for use in executed code. This includes any external inputs from any data sources at all, including inputs that may seem trivial or irrelevant – never doubt the ingenuity of a motivated hacker. For detailed information on best practices we recommend Mozillas guide here.
3. Use character escaping functions
Using character escaping in your code is a small change that can go a long way to preventing mySQL injections in many situations. Although potentially seen as more of a last resort than other techniques, escaping characters is still an important tool in your arsenal.
4. Avoid admin privileges on mySQL users
This may sound obvious, but limiting connecting to your mySQL database with admin privileges is a huge security risk. Instead, create different users with only the privileges they need.
5. Implement a server side Web Application Firewall (WAF)
A Web Application Firewall will monitor all data going between two servers to identify malicious activity. When coding best practices fail, WAF’s can mitigate any potential damage by picking up on threats before they reach your server.
Don’t take the risk of letting your website getting hacked and potentially costing you, your businesses, or your clients a fortune. Instead, we recommend constantly keeping up to date with the latest mySQL injection threats and techniques to avoid them. After all, prevention is always easier than a cure.