0

I am preparing for an exam in distributed systems and I'm struggling with the following question:

You have written an internet application using html input elements for the users entries. The users input is part of SQL statements. What should you be aware of concerning security? Explain the solution and problem. Give an example.

Is anyone familiar with this scenario and can help?

Dharman
  • 30,962
  • 25
  • 85
  • 135
Michaella Garcia
  • 1
  • 4
    Research (i.e. google) "SQL injection attacks". Weep a little. Promise to yourself and to the world at large to only use parameter binding, even after thorough input sanitation – Hans-Martin Mosner Jul 28 '19 at 14:55
  • Makes sense! Danke für den Ansatz – Michaella Garcia Jul 28 '19 at 15:27
  • 2
    Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) & [What is SQL injection?](https://stackoverflow.com/q/601300/1839439) – Dharman Jul 28 '19 at 16:04

1 Answers1

3

This is a common web hacking technique called SQL Injection

SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.

Without protection it is possible to get usernames and passwords or delete the whole database. For an example see https://www.w3schools.com/sql/sql_injection.asp

For proection you can use the following techniques:

  • 1: Use of Prepared Statements (with Parameterized Queries)
  • 2: Use of Stored Procedures
  • 3: Whitelist Input
  • 4: Escaping All User Supplied Input

For futher information see :https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

UrlaubItalien
  • 31
  • 3