Services to avoid MySQL injection attacks?

From what I know, aside from DDoS, the most common kind of website attacks are due to the execution of custom MySQL injected code. All areas where you can input data and are directly connected to a website's database are potentially exploitable through such code... unless they're properly secured, at least.
Unless you have a deep knowledge of MySQL, it's hard, if not impossible, to think of all the possible security flaws your website might have, so it's best to refer to experts and professional solutions.

Are there any services that can help make your website more secure against MySQL code injection attacks?

Here are some tips for you -

1. Use https instead of http - Always use the encrypted connection . So you must have SSL certificate installed on your service.

2. Use Green SQL - It is the proxy for the green database. Your website first connects to GreenSQL instead of your MySQL database directly. It used to forward only legitimate SQL to your database and provided the output in result. It has the list of white-listed databases. If the database entry is not prevent then it will detect it as suspicious entry and will not provide the answer.

3. Update and patch PHP - It always recommended to patch and update the PHP to it's latest version.

4. Never connect using superuser - It's always recommended to connect to database using the superuser, always use the user with privileged access.

5. Use the prepared statements - Use the prepared statements with variables.


Hope this will help you.

There are two main ways to stop SQL injection attacks.

1. Server level :- This is mostly using a WAF or some URL policies by matching the URI in request. In case of WAF, available solutions like ModSecurity rules available already contain some rules to check SQL injection attacks and block them

2. Application Level :- This need some extensive programming skills. But this, you need to analyse the URI in requests at application level and filter it out. For this you need to know the possible SQL Attack patterns against your application.

Thanks to everyone for your answers! They're all very informative and helpful.

24x7servermanageme said:

Here are some tips for you -

1. Use https instead of http - Always use the encrypted connection . So you must have SSL certificate installed on your service.

2. Use Green SQL - It is the proxy for the green database. Your website first connects to GreenSQL instead of your MySQL database directly. It used to forward only legitimate SQL to your database and provided the output in result. It has the list of white-listed databases. If the database entry is not prevent then it will detect it as suspicious entry and will not provide the answer.

3. Update and patch PHP - It always recommended to patch and update the PHP to it's latest version.

4. Never connect using superuser - It's always recommended to connect to database using the superuser, always use the user with privileged access.

5. Use the prepared statements - Use the prepared statements with variables.


Hope this will help you.

Click to expand...

Very solid list. Employing proper security measures is probably even better than using third-party applications to fill the holes in the end.

VirtuBox said:

I do not see how https will protect a website against SQL Injection ?
SQL injection are not a common type of attack, because most part of security vulnerabilities are related to Cross-site scripting (XSS) attack or cross-site request forgery (CSRF).

You can block the most part of attacks by adding the proper security headers to your web server configuration.
You can easily check if security headers are set on your website with securityheaders.io.

About SQL injection, you can use a WAF (Web Application Firewall) like NAXSI for Nginx or ModSecurity for Apache.
Then keep your application up-to-date to not be vulnerable when security issues are discovered

Click to expand...

I might have heard about them in the past, but I can't recall that much about them, unfortunately. I know of SQL injection attacks from articles regarding major websites being attacks, so I presumed they would be some of the most popular (seeing how easy they are to attempt, too). Nonetheless, this is exactly what I wanted to know, thank you!

mobin said:

There are two main ways to stop SQL injection attacks.

1. Server level :- This is mostly using a WAF or some URL policies by matching the URI in request. In case of WAF, available solutions like ModSecurity rules available already contain some rules to check SQL injection attacks and block them

2. Application Level :- This need some extensive programming skills. But this, you need to analyse the URI in requests at application level and filter it out. For this you need to know the possible SQL Attack patterns against your application.

Click to expand...

Would that be like preventing attacks from the get-go for the first level and filtering them out once the code has already been injected (but not executed) for the second one, right? I guess using them both can't hurt that much.