ecWare home
ecWare home
  ecMerchant™CompanyTech SupportContact UsResources Logon   
Home » Resources » SQL Injection Attacks Site Map
Resources
Search Engine Optimization
PCI Security Standard
Accepting Credit Cards
eCommerce Glossary


SQL Injection Attacks Wiki
I want more info on SQL Injection Attacks
My email address is:
 
add me to mail list

SQL Injection Attacks

A SQL injection attack is a method of entering carefully chosen text into a web form field in an attempt to discover information about and contained within a SQL database. In more advanced attacks, the initial attacks are used to gain information about the database structure for the purpose of gaining enough subsequent access to extract meaningful data such as login information, credit card numbers and email addresses. Or to insert data into the database such as in the case of defacement.

DEFACEMENT:
One purpose of SQL injection attacks is to add malicious data into the database. In the case of the most recent string af attacks, a javascript reference is appended to data fields used for providing web content in public-facing sites. Any site which uses a content management system is an optimal target for this type of attack. The defacement is mostly invisible. But the script tags reference javascriopt content located on a remote server which can wreak havoc to users who visit a defaced site. The defaced site will appear as a "viral" threat by google and your site nay be blacklisted. Also, users who visit the site will be alerted by their web browser that the site imposes a threat. The user may then be reluctant to ever return to the site.

PREVENTION:
The only way to protect your web site and your valuable data from SQL injection attacks is to impliment a data sanitization scheme which takes into account all of the techniques currently used to perform such attacks. In essence, you must "cripple" any valid SQL queries contained within form results before using the data as part of a valid SQL query. This is something we at ecWare have always implimented. ecMerchant and all the forms on our site and the sites we build incorporate our years of experience dealing with the threat of SQL injection attacks.

CURRENT THREAT:
SQL injection attacks are on the rise. There are now automated servers worldwide which scour the internet for publicly accessable web forms and use common SQL injection attack methodologies to exploit vulnerabilities. If you are not sure whether your site is protected, chances are it is not.

SANITIZATION:
Below is an example of how SQL injection attacks work and how we sanitize the form result data against attacks.

Text Form Field:

Use of this site indicates your acceptance of the Copyright Notice and End User License Agreement       
Copyright © 1995-2010 ecWare Corp. All Rights Reserved.