SQL Injection attempts wreaking havoc on databases

[Lew Skannen]

What is the best way to prevent SQL injection attempts on a website?

 

[ekske1]

 

[Thor]

Depends on the application.

Blanket advice = escape and clean your input.

 

[WAslayer]

What is the best way to prevent SQL injection attempts on a website?

Modsecurity (OWASP) works very well.. integrated with CSF to implement some more drastic permanent or non-permanent IP blocking and you are good to go..

 

[Lew Skannen]

Thanks, sanitation on forms are done. From what I heard it is continued URL attacks and most attacks seems to come from Onion IP's. Millions of attacks at short intervals, stop for a while, then return.

 

[ekske1]

Thanks, sanitation on forms are done. From what I heard it is continued URL attacks and most attacks seems to come from Onion IP's. Millions of attacks at short intervals, stop for a while, then return.

Expected user input, that is data directly from 'your own post' is normally fixed with that. However that doesn't stop someone from using a self made post / curl..

 

[John Tempus]

Thanks, sanitation on forms are done. From what I heard it is continued URL attacks and most attacks seems to come from Onion IP's. Millions of attacks at short intervals, stop for a while, then return.

Just put the host behind cloudflare, enable highest OWASP security level and make sure onion ip support is disabled. Should take care of most if not all potential threats in fact we have used this method to detect flaws in our public facing security based on cloudflare triggers that we did not even consider before.

Keep in mind OWASP at highest level will detect some false positives that you could filter out as time goes by.

One additional step is to disable ipv6 on cloudflare also considering nowadays so many attacks come from ipv6 blocks since it has infinite supply so websites that support ipv6 access can get hammered from ipv6 attacks much harder.

 

[_kabal_]

The actual answer is parameterized queries

 

[CT_Biker]

The actual answer is parameterized queries

So in layman. Fix your DB.

 

[TrueSeeker]

I use only SQL stored procedures and functions where apps have to execute SQL code against a DB. So that takes care of making sure everything is parameterized. Also hiding all DB calls in repositories behind a controller with an API in between never hurts. It's a good way to abstract things and provides a robust, easy to use layer for validation and constraining calls. Also it's best to use an ORM in your repos instead of reams of inline SQL. I like Dapper. It works just dandy (this in an Aurelia-C#-SQL stack).

Parameterize - Abstract. Follow that basic formula and it takes all the guess work out.