Services to avoid MySQL injection attacks?

Joined
Jun 27, 2017
Messages
59
Best answers
0
Ratings
1
Points
8
#1
From what I know, aside from DDoS, the most common kind of website attacks are due to the execution of custom MySQL injected code. All areas where you can input data and are directly connected to a website's database are potentially exploitable through such code... unless they're properly secured, at least.
Unless you have a deep knowledge of MySQL, it's hard, if not impossible, to think of all the possible security flaws your website might have, so it's best to refer to experts and professional solutions.

Are there any services that can help make your website more secure against MySQL code injection attacks?
 

24x7serverman

Well-known member
Joined
Jul 25, 2017
Messages
652
Best answers
1
Ratings
64 6
Points
28
#2
Here are some tips for you -

1. Use https instead of http - Always use the encrypted connection . So you must have SSL certificate installed on your service.

2. Use Green SQL - It is the proxy for the green database. Your website first connects to GreenSQL instead of your MySQL database directly. It used to forward only legitimate SQL to your database and provided the output in result. It has the list of white-listed databases. If the database entry is not prevent then it will detect it as suspicious entry and will not provide the answer.

3. Update and patch PHP - It always recommended to patch and update the PHP to it's latest version.

4. Never connect using superuser - It's always recommended to connect to database using the superuser, always use the user with privileged access.

5. Use the prepared statements - Use the prepared statements with variables.


Hope this will help you. :)
 

VirtuBox

Global Mod
Staff Member
Joined
May 3, 2016
Messages
1,489
Best answers
4
Ratings
374 9
Points
83
#3
VirtuBox
I do not see how https will protect a website against SQL Injection ?
SQL injection are not a common type of attack, because most part of security vulnerabilities are related to Cross-site scripting (XSS) attack or cross-site request forgery (CSRF).

You can block the most part of attacks by adding the proper security headers to your web server configuration.
You can easily check if security headers are set on your website with securityheaders.io.

About SQL injection, you can use a WAF (Web Application Firewall) like NAXSI for Nginx or ModSecurity for Apache.
Then keep your application up-to-date to not be vulnerable when security issues are discovered
 

mobin

Well-known member
Joined
Jun 22, 2017
Messages
169
Best answers
1
Ratings
52 1
Points
28
#4
There are two main ways to stop SQL injection attacks.

1. Server level :- This is mostly using a WAF or some URL policies by matching the URI in request. In case of WAF, available solutions like ModSecurity rules available already contain some rules to check SQL injection attacks and block them

2. Application Level :- This need some extensive programming skills. But this, you need to analyse the URI in requests at application level and filter it out. For this you need to know the possible SQL Attack patterns against your application.
 
Joined
Jun 27, 2017
Messages
59
Best answers
0
Ratings
1
Points
8
#5
Thanks to everyone for your answers! They're all very informative and helpful.

Here are some tips for you -

1. Use https instead of http - Always use the encrypted connection . So you must have SSL certificate installed on your service.

2. Use Green SQL - It is the proxy for the green database. Your website first connects to GreenSQL instead of your MySQL database directly. It used to forward only legitimate SQL to your database and provided the output in result. It has the list of white-listed databases. If the database entry is not prevent then it will detect it as suspicious entry and will not provide the answer.

3. Update and patch PHP - It always recommended to patch and update the PHP to it's latest version.

4. Never connect using superuser - It's always recommended to connect to database using the superuser, always use the user with privileged access.

5. Use the prepared statements - Use the prepared statements with variables.


Hope this will help you. :)
Very solid list. Employing proper security measures is probably even better than using third-party applications to fill the holes in the end.

I do not see how https will protect a website against SQL Injection ?
SQL injection are not a common type of attack, because most part of security vulnerabilities are related to Cross-site scripting (XSS) attack or cross-site request forgery (CSRF).

You can block the most part of attacks by adding the proper security headers to your web server configuration.
You can easily check if security headers are set on your website with securityheaders.io.

About SQL injection, you can use a WAF (Web Application Firewall) like NAXSI for Nginx or ModSecurity for Apache.
Then keep your application up-to-date to not be vulnerable when security issues are discovered
I might have heard about them in the past, but I can't recall that much about them, unfortunately. I know of SQL injection attacks from articles regarding major websites being attacks, so I presumed they would be some of the most popular (seeing how easy they are to attempt, too). Nonetheless, this is exactly what I wanted to know, thank you!

There are two main ways to stop SQL injection attacks.

1. Server level :- This is mostly using a WAF or some URL policies by matching the URI in request. In case of WAF, available solutions like ModSecurity rules available already contain some rules to check SQL injection attacks and block them

2. Application Level :- This need some extensive programming skills. But this, you need to analyse the URI in requests at application level and filter it out. For this you need to know the possible SQL Attack patterns against your application.
Would that be like preventing attacks from the get-go for the first level and filtering them out once the code has already been injected (but not executed) for the second one, right? I guess using them both can't hurt that much.
 

mobin

Well-known member
Joined
Jun 22, 2017
Messages
169
Best answers
1
Ratings
52 1
Points
28
#6
mobin
That is corerct. Please note that, as long as the injection can be executed and cannot reach the tables its ok to go through the first level. When application can fiter out such requests, that means you are still safe. But for this, you must know what you are doing.
 
Older Threads
Replies
0
Views
287
Replies
18
Views
1,269
Replies
2
Views
397
Newer Threads
Replies
2
Views
441
Replies
0
Views
3
Replies
7
Views
692
Latest Threads
Replies
1
Views
21
Replies
1
Views
18
Replies
0
Views
10

Latest Hosting OffersNew Reviews

Sponsors

Latest Blog ArticlesMost Viewed Threads