Page 1490 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1490
'a' = 'a'
Reformatting that command slightly, you get the following:
SELECT *
FROM transactions
WHERE account_number ='145249';
DELETE *
FROM transactions
WHERE 'a' = 'a'
This is a valid SQL transaction containing two statements. The first
one retrieves the requested information from the database. The second
statement deletes all the records stored in the database. Whoops!
Protecting against SQL Injection
You can use three techniques to protect your web applications against
SQL injection attacks:
Use Prepared Statements Developers of web applications should
leverage prepared statements to limit the application’s ability to
execute arbitrary code. Prepared statements, including parameterized
queries and stored procedures, store the SQL statement on the
database server, where it may be modified only by database
administrators and developers with appropriate access. Web
applications calling the prepared statement may pass parameters to it
but may not alter the underlying structure of the SQL statement.
Perform Input Validation As described earlier in this chapter
when talking about cross-site scripting, input validation allows you to
limit the types of data a user provides in a form. In the case of the SQL
injection example we provided in the previous section, removing the
single quote characters (') from the input would prevent the successful
use of this attack. The strongest, and safest, form of input validation is
whitelist validation, where the developer specifies the exact nature of
the expected input (e.g., an integer less than 1024 or an alphanumeric
string less than 20 characters) and the code verifies that user-supplied
input matches the expected pattern before submitting it to the
database.
Limit Account Privileges The database account used by the web
