Java Reference
In-Depth Information
parameterized statements. Parameterized SQL queries are very beneicial from several points
of view. Security and performance are two of the main beneits. From a security standpoint,
parameterized SQL queries help increase security by separating SQL logic from the data being
supplied. Parameterizing the SQL query results in the escaping of dangerous characters such
as single quotes, double quotes, and backslash characters. If the query is dynamically con-
structed, then the escape function has to be written separately. his is not recommended as
escape functions are very important and improperly writing these functions can result in SQL
injection attacks.
Performance is another beneit of parameterizing SQL queries. Parameterizing SQL queries
only requires each query to be parsed a single time. Once the query is run many times the pre-
parsing activity performed by the parameterized query will ensure that the load on the database
engine is reduced at execution and the query thus is optimized as compared to a dynamic con-
struction of a query based on user input.
10.3.1.2 Use of PreparedStatement for Parameterizing SQL Queries
A statement is an object used for executing a static SQL statement and returning the results it pro-
duces, whereas a
PreparedStatement
object is like a regular
Statement
object, in that
it can be used to execute SQL statements. he important diference that should be noted is that
the SQL in a
PreparedStatement
is precompiled by the database for faster execution. Once
a
PreparedStatement
has been compiled, it can still be customized by adjusting predeined
parameters. Prepared statements are useful in applications that have to run the same general SQL
command over and over.
10.3.1.3 Lack of Input Validation
Input validation is also an important requirement to ensure that SQL injection attacks against a
Web application and its database are unsuccessful. Attackers depend on the improperly validated
(or unvalidated) input to carry out SQL injection and other types of attacks like XSS. Input vali-
dation may be performed based on the implementation discussed in the previous section of this
chapter. It is important to note that validation of input at the server side does not negate the need
to parameterize SQL queries, or vice versa. Based on the principles of defense-in-depth (which was
covered in Chapter 2), it is important to understand that there must be multiple defenses to ensure
that the attacker is not able to perpetrate an attack by circumventing a single defense mechanism.
10.3.1.4 Flawed Error Handling
An attacker relies heavily on application error messages while performing SQL injection attacks.
For instance, the attacker irst submits an HTML form with the crafted SQL query to check for
sanitization of database input. Sometimes, all an attacker has to do is include a single quote in the
form along with regular input data and a HTTP 500 Error is displayed to the attacker, indicat-
ing that the input is actually being parsed. Apart from the error, several applications also display
the stack trace of the exception and provide attackers with invaluable information about the failed
SQL statement and give clues about the schema of the database. Leveraging existing information,
the attacker may be able to exploit the application with SQL injection. It is important to ensure
that errors that reveal sensitive information are not reported to the users of the application. he
OWASP Top Ten 2007 also names improper error handling as one of the key vulnerabilities for
Search WWH ::
Custom Search