Is it possible to filter web requests that contain SQL injections values?
Asked
Active
Viewed 327 times
2
-
You might be looking for a Web Application Firewall (WAF), but also take a look at https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF. So the still be sure to use Defense In Depth. – Shawn Jun 19 '20 at 15:31
1 Answers
2
There are Web Application Firewalls or Database Firewalls that attempt to do this.
You must define either patterns for accepting input, or else a list of literal inputs that are allowed.
Some of these products work by letting you "train" them by running your app during a time when you know there are no SQL injection attacks going on, and it records the SQL queries that are known to be legitimate. Then you turn off the training mode, and subsequently the firewall will block anything that doesn't match its list of inputs to allow.
Problems with this solution:
If you need to change your web application, you need to re-train the firewall before you can deploy your app.
It limits you to run SQL queries that can be matched by such a list. If you have SQL that is highly variable (for example, dynamic queries that do extra joins or extra terms in the WHERE clause conditionally), it's hard to make rules for what to allow.
- Firewall-based solutions cannot block SQL injection that occurs within stored procedures.
- It gives you a false sense of security, tempting you to be lax about writing secure code.
Ultimately, you're better off protecting yourself from SQL injection in code by using query parameters.
This is the answer to virtually every question about SQL injection on Stack Overflow!
See also some of my past answers on web app firewalls or database firewalls:
Bill Karwin
- 538,548
- 86
- 673
- 828