Databases stolen with SQL Injection attacks and how to avoid them

Multiple Swedish websites have had the misfortune of being the target of SQL Injection attacks. For example, wrote this monday an article about Allabolag who, unfortunately, got to experience SQL Injection attacks.

SQL Injections are possible due to mistakes done when coding an application,
and means that and as a result sensitive information from databases could be stolen.

How do you avoid attacks?

You should make sure your website cannot be the target of a SQL injection, as that can, amongst other things, read sensitive data from the database and in some cases issue commands to the operating system. Because of this, it’s highly recommended to review and test your code before publishing it online. While this may seem daunting at first, you’ll see that it does not take that much effort once you’ve read up on it and know what to look for. The two easiest ways to mitigate SQL injection attacks are Parameterized queries using bound, typed parameters and Careful use of parameterized stored procedures.

It is also advised to place a WAF, Web Application Firewall, in front as this will assist in blocking harmful attack attempts towards your website. A WAF will assist in protecting your website against SQL Injections, but it can also give you multiple other features such as being able to block known exploits, as previously mentioned in our Christmas Calendar for 2014.