Learning Objectives
To understand the fundamental concepts of output encoding.
To understand the basic defensive practice skills against malicious SQL injection attacks in mobile software development.
Introduction to SQL Injection
SQL injection
SQL injection is a code insertion technique used to attack data driven applications, in which malicious code is inserted to normal SQL statement to dump contents from database. SQL injection exploits security vulnerabilities of application, for example, taking use of a user input to embed malicious code to a hard code SQL statement.
Forms of SQL injection
There are several forms of SQL injection, consisting of direct insertion code to user input variables and then concatenated with SQL statements to be executed or other less direct code insertion technique. Some of them are listed as below:
Incorrectly filtered escape characters
This form occurs if user input is passed to SQL statement without filtering escape characters. Implementation is illustrated by following example.
“SELECT * FROM users WHERE username= ‘”+username+”’” in which the variable username can be crafted by attackers, either by inputting an always true clause or by commenting out the rest of query statement. What’s more, by inserting semicolon, attackers are able to execute separate SQL statement in this case.
Incorrect type handling.
This form of injection takes place when no appropriate type checking is performed. The implementation of this form can be same as previous one. There are still many forms to perform injection, the point that an injection works is by prematurely terminating a text string and appending a new command.
Defense of SQL injection
Parameterized statements
Instead of embedding user input to query statement, but use placeholders to receive parameters. This strategy will also solve the problem if there is not a type handling mechanism, because a placeholder can only receive value of the given type.
Apply a database permission
Limiting the permission can help to reduce the vulnerabilities.