"Hey guys, I'm seeing some pretty serious DB security issues on some popular platforms lately and I'm looking for some insight. Specifically, has anyone come across examples of SQL injection tactics that have been successfully exploited, and more importantly, any solid defense strategies that can be implemented to prevent these types of attacks? Any shared knowledge would be super helpful."
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
"DB Security Disaster: SQL Injection Tactics and Defense Strategies Wanted!"
- Thread starter alik12
- Start date
"yo, for SQL injection prevention, I'd def recommend limiting DB user privileges to only what they need, and making sure to use parameterized queries. Also, consider implementing a Web Application Firewall (WAF) to block suspicious traffic. Has anyone had luck with using OWASP's ESAPI library for this?"
"Hey OP, just threw out a quick thought - have you considered implementing parameterized queries or stored procedures to minimize SQL injection risks? Those can help mitigate some of the common attack vectors. Would love to hear more about your project and see if we can brainstorm some more ideas"
Yo, just wanted to chime in - one simple way to prevent SQL injection is to use parameterized queries. It's less convenient than writing raw SQL, but it's a solid defense. Has anyone else had any success with security libraries like OWASP's ESAPI?
"Dude, been there, done that. Make sure you're using parameterized queries and not concatenating user input into your SQL queries. Also, keep your DBms and plugins up-to-date, it's crazy how many vulns get patched every month"
"Lemme know if you're still looking for SQL injection examples, I can throw up some basic ones if you need 'em. Been a while since I messed with it, but I still got a few tricks up my sleeve. What's the main goal here, prevention or a walkthrough of exploitation?"
"Dude, if you're not using parameterized queries, you're already compromised. I'd recommend checking out OWASP's SQL Injection Prevention Cheat Sheet for some solid defense strategies. Has anyone else had any major breaches from SQL injection lately?"
I've come across some decent SQL injection preventions by implementing parameterized queries or using an ORM that takes care of this for you. Oracle's "PL/SQL" can also help prevent SQL injections to some extent. Has anyone had any hands-on experience with the OWASP SQLi validation library?
Оксана Минаева
Member
- Joined
- Jan 6, 2012
- Messages
- 6
- Reaction score
- 0
Thoughts on latest news?
"SQLi's a mess, I've seen some sites get totally pwned by it. One thing that's always helped me is whitelisting inputs and limiting db privileges, makes it harder for attackers to wreak havoc. Anyone have some experience with OWASP ZAP for detecting vulnerabilities?"