15 Jul, 2021

How to Protect: SQL Injection

This video is for informational purposes and has been prepared to increase awareness against SQL Injection attacks and to take measures in this direction.

00:00:00 How to Protect: SQL Injection 00:00:12 In this video, an attack simulation of improperly configured databases is designed from the perspective of a black hat hacker.
00:00:16 In this section, entry points for vulnerability detection are discovered.
00:00:21 After the entry points were discovered, the (‘) symbol and SQL query expressions were used for vulnerability detection in this area.
00:00:34 Zafiyet tespiti gerçekleştirildikten sonra veri tabanında kayıtlı sütun sayısını bulabilmek için SQL sorgu ifadeleri kullanılmıştır.
00:01:02 About the system 'version' etc. information has been obtained.
00:01:18 All data available in the entire database were obtained with the automated tool.
00:03:20 LESSONS LEARNED The sharpest solution to SQL Injection protection is the Prepared Statements method.

Prepared Statements; It is a parameterized and reusable SQL query that forces the developer to write the SQL command and user-supplied data separately.

The SQL command provides a secure form by preventing SQL Injection vulnerabilities. Compared to executing direct SQL commands, prepared statements have three main advantages:
1. Prepared statements reduce parsing time as the preparation on the query is done only once (even though the statement is executed multiple times).
2. Linked parameters within prepared statements minimize the bandwidth on the server as you only have to send the required parameters and not the entire query each time.
3. Prepared statements are very useful against SQL injections because there is no need to correctly omit parameter values that are then passed using a different protocol. SQL Injection cannot occur if the original expression template is not derived from external input.

*Our support and offer page on KVKK, ISO 270001, Information Security, Cyber Security and Information Technologies here.
*To all our blog posts on KVKK, ISO 270001, Information Security, Cyber Security and Information Technologies here.

KVKK, ISO 27001, Bilgi ve İletişim Güvenliği Rehberi, ISO 27701, Bilgi Güvenliği, Siber Güvenlik ve Bilgi Teknolojileri konularında destek ve teklif almak için lütfen

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram