Services to avoid MySQL injection attacks?

PenguinManiac

Member
Registered
Joined
Jun 27, 2017
Messages
59
Points
8
From what I know, aside from DDoS, the most common kind of website attacks are due to the execution of custom MySQL injected code. All areas where you can input data and are directly connected to a website's database are potentially exploitable through such code... unless they're properly secured, at least.
Unless you have a deep knowledge of MySQL, it's hard, if not impossible, to think of all the possible security flaws your website might have, so it's best to refer to experts and professional solutions.

Are there any services that can help make your website more secure against MySQL code injection attacks?
 

24x7serverman

Well-known member
Hosting Provider
Registered
Joined
Jul 25, 2017
Messages
651
Points
28
Here are some tips for you -

1. Use https instead of http - Always use the encrypted connection . So you must have SSL certificate installed on your service.

2. Use Green SQL - It is the proxy for the green database. Your website first connects to GreenSQL instead of your MySQL database directly. It used to forward only legitimate SQL to your database and provided the output in result. It has the list of white-listed databases. If the database entry is not prevent then it will detect it as suspicious entry and will not provide the answer.

3. Update and patch PHP - It always recommended to patch and update the PHP to it's latest version.

4. Never connect using superuser - It's always recommended to connect to database using the superuser, always use the user with privileged access.

5. Use the prepared statements - Use the prepared statements with variables.


Hope this will help you. :)
 

VirtuBox

Well-known member
Registered
Joined
May 3, 2016
Messages
1,622
Points
83
VirtuBox
I do not see how https will protect a website against SQL Injection ?
SQL injection are not a common type of attack, because most part of security vulnerabilities are related to Cross-site scripting (XSS) attack or cross-site request forgery (CSRF).

You can block the most part of attacks by adding the proper security headers to your web server configuration.
You can easily check if security headers are set on your website with securityheaders.io.

About SQL injection, you can use a WAF (Web Application Firewall) like NAXSI for Nginx or ModSecurity for Apache.
Then keep your application up-to-date to not be vulnerable when security issues are discovered
 

mobin

Well-known member
Registered
Joined
Jun 22, 2017
Messages
234
Points
28
There are two main ways to stop SQL injection attacks.

1. Server level :- This is mostly using a WAF or some URL policies by matching the URI in request. In case of WAF, available solutions like ModSecurity rules available already contain some rules to check SQL injection attacks and block them

2. Application Level :- This need some extensive programming skills. But this, you need to analyse the URI in requests at application level and filter it out. For this you need to know the possible SQL Attack patterns against your application.
 

PenguinManiac

Member
Registered
Joined
Jun 27, 2017
Messages
59
Points
8
Thanks to everyone for your answers! They're all very informative and helpful.

Here are some tips for you -

1. Use https instead of http - Always use the encrypted connection . So you must have SSL certificate installed on your service.

2. Use Green SQL - It is the proxy for the green database. Your website first connects to GreenSQL instead of your MySQL database directly. It used to forward only legitimate SQL to your database and provided the output in result. It has the list of white-listed databases. If the database entry is not prevent then it will detect it as suspicious entry and will not provide the answer.

3. Update and patch PHP - It always recommended to patch and update the PHP to it's latest version.

4. Never connect using superuser - It's always recommended to connect to database using the superuser, always use the user with privileged access.

5. Use the prepared statements - Use the prepared statements with variables.


Hope this will help you. :)
Very solid list. Employing proper security measures is probably even better than using third-party applications to fill the holes in the end.

I do not see how https will protect a website against SQL Injection ?
SQL injection are not a common type of attack, because most part of security vulnerabilities are related to Cross-site scripting (XSS) attack or cross-site request forgery (CSRF).

You can block the most part of attacks by adding the proper security headers to your web server configuration.
You can easily check if security headers are set on your website with securityheaders.io.

About SQL injection, you can use a WAF (Web Application Firewall) like NAXSI for Nginx or ModSecurity for Apache.
Then keep your application up-to-date to not be vulnerable when security issues are discovered
I might have heard about them in the past, but I can't recall that much about them, unfortunately. I know of SQL injection attacks from articles regarding major websites being attacks, so I presumed they would be some of the most popular (seeing how easy they are to attempt, too). Nonetheless, this is exactly what I wanted to know, thank you!

There are two main ways to stop SQL injection attacks.

1. Server level :- This is mostly using a WAF or some URL policies by matching the URI in request. In case of WAF, available solutions like ModSecurity rules available already contain some rules to check SQL injection attacks and block them

2. Application Level :- This need some extensive programming skills. But this, you need to analyse the URI in requests at application level and filter it out. For this you need to know the possible SQL Attack patterns against your application.
Would that be like preventing attacks from the get-go for the first level and filtering them out once the code has already been injected (but not executed) for the second one, right? I guess using them both can't hurt that much.
 

mobin

Well-known member
Registered
Joined
Jun 22, 2017
Messages
234
Points
28
mobin
That is corerct. Please note that, as long as the injection can be executed and cannot reach the tables its ok to go through the first level. When application can fiter out such requests, that means you are still safe. But for this, you must know what you are doing.
 
Older Threads
Replies
0
Views
1,592
Replies
31
Views
7,878
Replies
2
Views
2,362
Newer Threads
Replies
2
Views
2,014
Replies
7
Views
3,418
Replies
7
Views
3,229
Latest Threads
Replies
0
Views
38
Replies
0
Views
58
Replies
1
Views
84
Replies
1
Views
95
Recommended Threads
Replies
53
Views
18,050
Replies
3
Views
15,430

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top