0% found this document useful (0 votes)
5 views16 pages

Databases and Website Security

dastabases and website security of information security
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
5 views16 pages

Databases and Website Security

dastabases and website security of information security
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

Databases and

Website
Security
J. Kasiroori

Department of Analytics &


Informatics
Database security

Cross site prevention


Overview
Data sanitization

Handling inputs securely


Database
security
Basic Security
Requirements
• Physical database integrity. The data of a database are immune from physical
problems, such as power failures, and someone can reconstruct the database if it is
destroyed through a catastrophe.
• Logical database integrity. The structure of the database is preserved. With logical
integrity of a database, a modification to the value of one field does not affect other
fields, for example.
• Element integrity. The data contained in each element are accurate.
• Auditability. It is possible to track who or what has accessed (or modified) the
elements in the database.
• Access control. A user is allowed to access only authorized data, and different users
can be restricted to different modes of access (such as read or write).
• User authentication. Every user is positively identified, both for the audit trail and for
permission to access certain data.
• Availability. Users can access the database in general and all the data for which they
are authorized.
Types of
Attacks

• Tautology: This form of attack injects code in one


or more conditional statements so that they
always evaluate to true
• End-of-line comment: After injecting code into a
particular field, legitimate code that follows are
nullified through usage of end of line comments
• Piggybacked queries: The attacker adds additional
queries beyond the intended query, piggy-backing
the attack on top of a legitimate request
Tautology Attacks
SQL Injection
Example

• The SQL injection attack typically works by prematurely terminating a text string and
appending a new command.
• Example SQL injection, suppose you have an SQL statement which says:

SELECT first_name, surname, reg_number FROM students WHERE first_name = name


A user can provide this as the value of rnum = “Ruth; DROP TABLE marks;”
• This translates to 2 commands

1. SELECT first_name, surname, reg_number FROM students WHERE first_name = “Ruth”;


2. DROP TABLE marks
SQL Injection
Example
• Then there is the “1=1” which always evaluates to TRUE
• Suppose you have an SQL statement which says:
SELECT first_name, surname, reg_number FROM students WHERE
reg_number = rnum
A user can provide this as the value of rnum = “R123456A OR 1=1”
• This just tells the database to return everything in the table in question.
SQL Injection

One of the most prevalent and dangerous network-based security threats

Sends malicious SQL commands to the database server

Depending on the environment SQL injection can also be exploited to:

Modify or delete data

Execute arbitrary operating system commands

Launch denial-of-service (DoS) attacks


Improper Data
handling
Example

• You have a script to select users based on a certain mark for 4th years:
• SELECT student, mark FROM marks WHERE term_mark = t_mark AND year = 4;
• You expect the user to give you the mark they want for your visualisation.
• But user provides this for t_mark = “> 1; --”
• This essentially presents the attacker with ALL the marks in the table and uses a
comment to render the rest of the statement invalid.
• I have seen code like this:
SELECT * FROM users WHERE username = ‘{username}’ AND password =
‘{password}’”
This is a blank cheque
SELECT * FROM users WHERE username = ‘admin’ – ‘ AND password = ‘anything’;
Protections
Against Attacks
Use prepared statements

• Pre-compiles SQL queries, separating code from


data.
• Reduces risk of SQL injection by not allowing user
input to alter query structure.
• Efficient for executing the same query multiple
User Data times with different parameters.

sanitisation Use parameterized queries

• Ensures user input is treated strictly as data, not


executable code.
• Forces input into predefined placeholders in the
query.
• Prevents malicious input (like SQL commands) from
being executed.
“SELECT * FROM users WHERE username
= ? AND password = ?”

The ? placeholders are used for the


Prepared username and password.
statement
Example The values are safely passed into the
query using a tuple: (username,
password).

This prevents any user input from


altering the SQL query structure.
Parametrized
Statements

“SELECT * FROM users WHERE username = %s AND password = %s”

%s is the placeholder for the parameters (in this case, the username and
password).

When using this in Python with mysql-connector-python or PyMySQL, the


actual user input values are passed safely to these placeholders via the
cursor.execute() function.

User inputs are treated as data not as part of the SQL query itself

This protects your code against SQL injection attacks.


END

You might also like