{"id":4863,"date":"2019-08-04T09:01:24","date_gmt":"2019-08-04T09:01:24","guid":{"rendered":"https:\/\/avengering.com\/?p=4863"},"modified":"2019-07-26T16:17:29","modified_gmt":"2019-07-26T16:17:29","slug":"how-to-protect-your-website-against-sql-injection-attack","status":"publish","type":"post","link":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/","title":{"rendered":"How to protect your website against SQL injection attack?"},"content":{"rendered":"<h2>Preface<\/h2>\n<p>If you have read our <a href=\"https:\/\/avengering.com\/en\/how-to-improve-your-website-web-app-security\/\">previous posts<\/a>, in two posts we talk bot the security issues of websites and web apps. For all too many companies, it\u2019s not until <em>after<\/em>\u00a0a security breach has occurred that web security best practices become a priority. During my years working as an IT Security professional, I have seen time and time again how obscure the world of web development security issues can be to so many programmers.<\/p>\n<p>Now a day, SQL Injection represents a serious threat to Internet security for various dynamic Web applications residing on the Internet. These web applications drive many vital processes in various web-based businesses. As the use of the Internet for various online services grows, security threats on the Web are also increasing. There is a universal need for all dynamic web applications and this universal need is the need to store, retrieve or manipulate information from a database. Most systems that manage databases and their requirements, such as MySQL Server and PostgreSQL, use SQL as the language. The flexibility of SQL makes it a powerful language. It allows its users to ask what he\/she wants without disclosing any information on how the data will be recovered. However, the extensive use of SQL databases has attracted the attention of hackers. They take advantage of poorly coded web applications to attack databases. They introduce an apparent SQL query, via unauthorized user input, into the legitimate request statement. In this article, we have tried to present a complete review of all the different types of SQL injection attacks present, as well as the detection of such attacks and the preventive measures used. We highlighted their strengths and weaknesses. Such a classification would help other researchers to choose the right technique for further studies.<\/p>\n<h2>SECURITY IS THE MAIN PARMAMETRE<\/h2>\n<p>An effective approach to web security threats must, by definition, be proactive and defensive. Toward that end, this post is aimed at sparking a security mindset, hopefully injecting the reader with a healthy dose of paranoia.<\/p>\n<p>In particular, this guide focuses on 10 common and significant web security pitfalls to be aware of, including recommendations on how they can be mitigated. The focus is on the\u00a0<a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-Top_10\">Top 10 Web Vulnerabilities<\/a>\u00a0identified by the\u00a0<a href=\"https:\/\/www.owasp.org\/index.php\/Main_Page\">Open Web Application Security Project (OWASP)<\/a>, an international, non-profit organization whose goal is to improve software security across the globe.<\/p>\n<h3>MOST COMMON WEBSITE SECURITY VULNERABILITIES<\/h3>\n<p>From the biggest data breaches and cyber-attacks of the past decade, it is quite clear that marginal and careless mistakes and lapses in website security have turned out to be dangerous. Even big players have faced heavy losses, not just monetarily but in terms of customers, trust, brand image, and goodwill as a result of the attacks.<\/p>\n<p>We have compiled the list of 10 most dangerous website security mistakes that you must avoid.<\/p>\n<p>1<strong>&#8211;<span style=\"color: #ff0000;\">SQL INJECTIONS (INJECTION FLAWS)<\/span><\/strong><\/p>\n<p>2- CROSS SITE SCRIPTING (XSS)<\/p>\n<p>3. BROKEN AUTHENTICATION &amp; SESSION MANAGEMENT<\/p>\n<p>4. INSECURE DIRECT OBJECT REFERENCES<\/p>\n<p>5. SECURITY MISCONFIGURATION<\/p>\n<p>6. CROSS-SITE REQUEST FORGERY (CSRF)<\/p>\n<p>7- SENSITIVE DATA EXPOSER<\/p>\n<p>8- MISSING FUNCTION LEVEL ACCESS CONTROL<\/p>\n<p>9- USING COMPONENTS WITH KNOWN VULNERABILITIES<\/p>\n<p>10- Invalidated redirects and forwards<\/p>\n<p>Don&#8217;t forget:<\/p>\n<blockquote><p><span style=\"color: #ff0000;\"><strong>IRREGULAR OR NO WEBSITE SECURITY SCANS. <\/strong><\/span>The importance of regular website security scanning cannot be stressed enough. It is only through regular scanning that we can find vulnerabilities and gaps that exist, and accordingly, fix them. Organizations often make the cardinal error of not scanning their websites every day and after major changes to the business policies, systems, etc<\/p><\/blockquote>\n<h3>What is SQL Injection Attacks<\/h3>\n<p>The OWASP Top 10 lists Injection and Cross-Site Scripting (XSS) as the most common security risks to web applications. Indeed, they go hand in hand because XSS attacks are contingent on a successful Injection attack. While this is the most obvious partnership, Injection is not just limited to enabling XSS.<\/p>\n<p>The injection is an entire class of attacks that rely on injecting data into a web application to facilitate the execution or interpretation of malicious data unexpectedly. Examples of attacks within this class include Cross-Site Scripting (XSS), SQL Injection, Header Injection, Log Injection, and Full Path Disclosure. I\u2019m scratching the surface here.<\/p>\n<p>This class of attacks is every programmer\u2019s bogeyman. They are the most common and successful attacks on the internet due to their numerous types, large attack surface, and the complexity sometimes needed to protect against them. All applications need data from somewhere to function. Cross-Site Scripting and UI Redress are, in particular, so common that I\u2019ve dedicated the next chapter to them and these are usually categorized separately from Injection Attacks as their class given their significance.<\/p>\n<p>OWASP uses the following definition for Injection Attacks:<\/p>\n<blockquote><p>Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker\u2019s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.<\/p><\/blockquote>\n<p>By the way, Injection flaws result from a classic failure to filter untrusted input. It can happen when you pass unfiltered data to the SQL server (SQL injection), to the browser (XSS \u2013 we\u2019 had been talked about this <a href=\"https:\/\/avengering.com\/en\/how-to-improve-your-website-web-app-security\/\"><strong>before<\/strong> <\/a>), to the LDAP server (LDAP injection), or anywhere else. The problem here is that the attacker can inject commands to these entities, resulting in loss of data and hijacking clients\u2019 browsers.<\/p>\n<blockquote><p><em>Anything that your application receives from untrusted sources must be filtered,<\/em> preferably according to a whitelist. You should almost never use a blacklist, as getting that right is very hard and usually easy to bypass. Antivirus software products typically provide stellar examples of failing blacklists. Pattern matching does not work.<\/p><\/blockquote>\n<p>in the other definition,<\/p>\n<blockquote><p>SQL Injection operates by injecting data into a web application which is then used in SQL queries. The data usually comes from untrusted input such as a web form. However, it\u2019s also possible that the data comes from another source including the database itself.<\/p><\/blockquote>\n<p>Programmers will often trust data from their database believing it to be completely safe without realizing that being safe for one particular usage does not mean it is safe for all other subsequent usages. Data from a database should be treated as untrusted unless proven otherwise, e.g. through validation processes.<\/p>\n<p>If successful, an SQL Injection can manipulate the SQL query being targeted to perform a database operation not intended by the programmer.<\/p>\n<p>Please consider the following query:<\/p>\n<pre class=\"lang:default decode:true\">$db = new mysqli('localhost', 'username', 'password', 'storedb');\r\n\r\n$result = $db-&gt;query(\r\n\r\n'SELECT * FROM transactions WHERE user_id = ' . $_POST['user_id']\r\n\r\n);<\/pre>\n<p>The above has several things wrong with it.<\/p>\n<p>1- First of all, we haven\u2019t validated the contents of the POST data to ensure it is a valid user_id.<\/p>\n<p>2- Secondly, we are allowing an untrusted source to tell us which user_id to use &#8211; an attacker could set any valid user_id they wanted to. Perhaps the user_id was contained in a hidden form field that we believed safe because the webform would not let it be edited (forgetting that attackers can submit anything).<\/p>\n<p>3- Thirdly, we have not escaped the user_id or passed it to the query as a bound parameter which also allows the attacker to inject arbitrary strings that can manipulate the SQL query given we failed to validate it in the first place.<\/p>\n<p>The above three failings are remarkably common in web applications.<\/p>\n<h2 id=\"howtoprotectyourselfagainstsqlinjectionattacks\">How to Protect Yourself Against SQL Injection Attacks<\/h2>\n<p>With user input channels being the main vector for SQL injection attacks, most of the defensive methods involve controlling and vetting user input for attack patterns.<\/p>\n<p>Here are several measures that can ensure user input safety.<\/p>\n<h3 id=\"nevertrustuserinput\">1-Never trust user input<\/h3>\n<p>The first rule of thumb about user input is \u201c<a href=\"https:\/\/en.wikipedia.org\/wiki\/Trust,_but_verify\">don\u2019t trust and verify<\/a>,\u201d which effectively means all forms of the user input should be considered malicious unless proved otherwise. This accounts not only for simple input boxes such as text areas and text boxes but for everything else as well \u2014 such as hidden inputs, query string parameters, cookies, and file uploads.<\/p>\n<p>Just because the browser\u2019s user interface doesn\u2019t allow the user to manipulate an input, it doesn\u2019t mean that it can\u2019t be tampered with. Simple tools such as\u00a0<a href=\"https:\/\/portswigger.net\/burp\/\">Burp <\/a>Suite enable\u00a0users to capture HTTP requests and modify anything, including hidden form values, before submitting them to the server. And if you think yourself clever by Base64 encoding your data, it can easily be decoded, modified and re-encoded by malicious users.<\/p>\n<h3 id=\"validateinputstringsontheserverside\">2-Validate input strings on the server-side<\/h3>\n<p>Validation is the process of making sure the right type of input is provided by users and to neutralize any potential malicious commands that might be embedded in the input string. For instance, in PHP, you can use the <span style=\"color: #0000ff;\">mysql\\_real\\_escape\\_string()<\/span>\u00a0to escape characters that might change the nature of the SQL command.<\/p>\n<p>An altered version of the previously-mentioned login code would be as follows:<\/p>\n<pre class=\"lang:default decode:true\">$con=mysqli_connect(\"localhost\",\"user\",\"password\",\"db\");\r\n\r\n$username = mysqli_real_escape_string($con, $_POST['username']);\r\n\r\n$password = mysqli_real_escape_string($con, $_POST['password']);\r\n\r\n$sql_command = \"select * from users where username = '\" . $username; $sql_command .= \"' AND password = '\" . $password . \"'\";<\/pre>\n<p>This simple modification would protect your code against the attack that was presented by adding an escape character (\\) in front of the single quotes that were intentionally added by the malicious user.<\/p>\n<p><strong>A note on validation:<\/strong><\/p>\n<blockquote><p>\u00a0If you\u2019ve added client-side validation functions, well done. But don\u2019t rely on it as a defensive measure against SQL injection attacks. While client-side functions might make it a notch harder to send malicious input to your server, it can easily be circumvented with a few browser tweaks and tools such as the one just mentioned. Therefore, you need to complement it with server-side validation.<\/p><\/blockquote>\n<p>Some programming platforms, such as #ASP.NET, include built-in features that will automatically evaluate user input for malicious content on page postbacks. But they can be circumvented by hackers with enough nerves and subtlety, so you should nonetheless run user input through your security check procedures. You can never be too cautious.<\/p>\n<h3 id=\"usecommandparameters\">3-Use command parameters<\/h3>\n<p>A better alternative to escaping would be to use command parameters. Command parameters are defined by adding placeholder names in SQL commands, which will later be replaced by user input. ASP.NET has a very intuitive and easy-to-use set of APIs for this purpose.<\/p>\n<p>The following code, written in C#, shows how you can use the command parameters to protect your website against SQL injection:<\/p>\n<p style=\"text-align: center;\"><span style=\"color: #0000ff;\"><strong>Report Advertisement<\/strong><\/span><\/p>\n<pre class=\"lang:default decode:true \" title=\"Report Advertisement\">SqlCommand cmd = new SqlCommand (\"SELECT * FROM users WHERE username=@username AND password=@password\",con);\r\n\r\nSqlParameter username = new SqlParameter(); username.ParameterName = \"@username\"; username.value = txtUsername.Text; cmd.Parameters.Add(username);\r\n\r\nSqlParameter password = new SqlParameter(); password.ParameterName = \"@password\"; password.value = txtPassword.Text; cmd.Parameters.Add(password);<\/pre>\n<p>&nbsp;<\/p>\n<p>you start by creating a <code class=\"language-undefined\">SqlCommand<\/code>\u00a0object and using the\u00a0<code class=\"language-undefined\">@parameter_namethe <\/code>paradigm in the command string where user input should be inserted.<\/p>\n<p>You then create instances of\u00a0<code class=\"language-undefined\">SqlParameter<\/code>\u00a0objects, in which you insert the user input, instead of directly concatenating it with the command string.<\/p>\n<p>Finally, you add the\u00a0<code class=\"language-undefined\">SqlParameter<\/code>\u00a0object to the\u00a0<code class=\"language-undefined\">SqlCommand<\/code>\u00a0object\u2019s Parameters collection, which will replace the parameters with the provided input. ADO.net takes care of the rest.<\/p>\n<p>In PHP, the equivalent is prepared statements, which is a bit more involved than its ASP.net counterpart. You can explore it\u00a0<a href=\"http:\/\/php.net\/manual\/en\/mysqli-stmt.bind-param.php\">here<\/a>.<\/p>\n<h3 id=\"explicitlycastyourinput\">4-Explicitly cast your input<\/h3>\n<p>This tip is for languages such as PHP, which are weakly typed, which means you do not usually define data types for variables, and the language automatically takes care of converting different data types between each other.<\/p>\n<p>Explicit casts can act as a shortcut to escaping input where non-string types are involved. So, if you\u2019re expecting the user to input an\u00a0<code class=\"language-undefined\">int<\/code>\u00a0for the\u00a0<code class=\"language-undefined\">age<\/code>\u00a0parameter, you can ensure the safety of the input with the following code in PHP:<\/p>\n<pre class=\"language-php\"><code class=\"php language-php\">$age = (int)$_POST['age']; \r\n<\/code><\/pre>\n<p>Take note that this snippet only validates the input\u2019s type, not its range. So you\u2019ll have to run other code to make sure the user doesn\u2019t enter a negative age \u2014 or an unrealistic one such as 1300.<\/p>\n<p>Also, another best practice is to avoid using single quotes in SQL commands where non-string input is involved. So instead of using the following code \u2026<\/p>\n<pre class=\"language-php\"><code class=\"php language-php\">$sql_command = \"select * from users where age = \" . $age; \r\n<\/code><\/pre>\n<p>\u2026 it would be a bit safer to use the following one:<\/p>\n<pre class=\"language-php\"><code class=\"php language-php\">$sql_command = \"select * from users where age = '\" . $age . \"'\"; <\/code><\/pre>\n<h2><strong>Conclusion:\u00a0<\/strong><\/h2>\n<p>The good news is that protecting against injection is \u201csimply\u201d a matter of filtering your input properly and thinking about whether an input can be trusted. But the bad news is that\u00a0<em>all<\/em> input needs to be properly filtered unless it can unquestionably be trusted (but the saying \u201cnever say never\u201d does come to mind here).<\/p>\n<p>In a system with 1,000 inputs, for example, successfully filtering 999 of them is not sufficient, as this still leaves one field that can serve as the Achilles heal to bring down your system. And you might think that putting an SQL query result into another query is a good idea, as the database is trusted, but if the perimeter is not, the input comes indirectly from guys with malintent. This is called\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/SQL_injection#Second_Order_SQL_Injection\">Second Order SQL Injection<\/a>\u00a0in case you\u2019re interested.<\/p>\n<p>Since filtering is pretty hard to do right (like crypto), what I usually advise is to rely on your framework\u2019s filtering functions: they are proven to work and are thoroughly scrutinized. If you do not use frameworks, you need to think hard about whether\u00a0<em>not<\/em>\u00a0using them makes sense in your server security context. 99% of the time it does not.<\/p>\n<p>in the other word, SQL injection has been around for decades and will likely continue to top the vulnerability charts for years to come. It takes a few easy \u2014 but well-calculated \u2014 steps to protect yourself and your users against it, and it should be among your top priorities when auditing your source code for security holes.<\/p>\n<p>The key to avoiding being the victim of the next huge SQL injection data breach is first, to control and validate user input, and second, to prepare yourself for the \u201cwhen,\u201d not the \u201cif.\u201d<\/p>\n<p style=\"text-align: right;\"><a class=\"maxbutton-9 maxbutton maxbutton-iso-9241-210-2010-en\" target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/ieeexplore.ieee.org\/document\/7395166\"><span class='mb-text'>SQL injection&#039;s IEEE Paper<\/span><\/a><\/p>\n<p style=\"text-align: right;\"><a class=\"maxbutton-9 maxbutton maxbutton-iso-9241-210-2010-en\" target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.elsevier.com\/books\/sql-injection-attacks-and-defense\/clarke-salt\/978-1-59749-963-7\"><span class='mb-text'>SQL injection&#039;s Elsevier Book<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Preface If you have read our previous posts, in two posts we talk bot the security issues of websites and web apps. For all too many companies, it\u2019s not until after\u00a0a security breach has occurred that web security best practices become a priority. During my years working as an IT Security professional, I have seen [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4871,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"_glsr_average":0,"_glsr_ranking":0,"_glsr_reviews":0,"footnotes":""},"categories":[638,169,637],"tags":[653,654,655,175,656],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.3 (Yoast SEO v23.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to protect your website against SQL injection attack?<\/title>\n<meta name=\"description\" content=\"SQL Injection result from a classic failure to filter untrusted input. It can happen when you pass unfiltered data to SQL server, browser,LDAP server .\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to protect your website against SQL injection attack?\" \/>\n<meta property=\"og:description\" content=\"SQL Injection result from a classic failure to filter untrusted input. It can happen when you pass unfiltered data to SQL server, browser,LDAP server .\" \/>\n<meta property=\"og:url\" content=\"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/avengering\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/siavosh.kaviani\" \/>\n<meta property=\"article:published_time\" content=\"2019-08-04T09:01:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-07-26T16:17:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/avengering.com\/wp-content\/uploads\/2019\/07\/source.gif\" \/>\n\t<meta property=\"og:image:width\" content=\"700\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/gif\" \/>\n<meta name=\"author\" content=\"kaviani siavosh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/avengering1\" \/>\n<meta name=\"twitter:site\" content=\"@avengering1\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"kaviani siavosh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"How to protect your website against SQL injection attack?","description":"SQL Injection result from a classic failure to filter untrusted input. It can happen when you pass unfiltered data to SQL server, browser,LDAP server .","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/","og_locale":"en_US","og_type":"article","og_title":"How to protect your website against SQL injection attack?","og_description":"SQL Injection result from a classic failure to filter untrusted input. It can happen when you pass unfiltered data to SQL server, browser,LDAP server .","og_url":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/","article_publisher":"https:\/\/www.facebook.com\/avengering\/","article_author":"https:\/\/www.facebook.com\/siavosh.kaviani","article_published_time":"2019-08-04T09:01:24+00:00","article_modified_time":"2019-07-26T16:17:29+00:00","og_image":[{"width":700,"height":300,"url":"https:\/\/avengering.com\/wp-content\/uploads\/2019\/07\/source.gif","type":"image\/gif"}],"author":"kaviani siavosh","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/avengering1","twitter_site":"@avengering1","twitter_misc":{"Written by":"kaviani siavosh","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/#article","isPartOf":{"@id":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/"},"author":{"name":"kaviani siavosh","@id":"https:\/\/avengering.com\/en\/#\/schema\/person\/e80dfbc504017eb0e76b7ff446000d1d"},"headline":"How to protect your website against SQL injection attack?","datePublished":"2019-08-04T09:01:24+00:00","dateModified":"2019-07-26T16:17:29+00:00","mainEntityOfPage":{"@id":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/"},"wordCount":2268,"commentCount":0,"publisher":{"@id":"https:\/\/avengering.com\/en\/#organization"},"image":{"@id":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/avengering.com\/wp-content\/uploads\/2019\/07\/source.gif","keywords":["How to protect your website against SQL injection attack?","Injection flaws","MOST COMMON WEBSITE SECURITY VULNERABILITIES","SQL INJECTIONS","What is SQL Injection Attacks"],"articleSection":["Injection flaws","Security","SQL injection"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/","url":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/","name":"How to protect your website against SQL injection attack?","isPartOf":{"@id":"https:\/\/avengering.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/#primaryimage"},"image":{"@id":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/avengering.com\/wp-content\/uploads\/2019\/07\/source.gif","datePublished":"2019-08-04T09:01:24+00:00","dateModified":"2019-07-26T16:17:29+00:00","description":"SQL Injection result from a classic failure to filter untrusted input. It can happen when you pass unfiltered data to SQL server, browser,LDAP server .","breadcrumb":{"@id":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/#primaryimage","url":"https:\/\/avengering.com\/wp-content\/uploads\/2019\/07\/source.gif","contentUrl":"https:\/\/avengering.com\/wp-content\/uploads\/2019\/07\/source.gif","width":700,"height":300,"caption":"SQL injection"},{"@type":"BreadcrumbList","@id":"https:\/\/avengering.com\/en\/how-to-protect-your-website-against-sql-injection-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/avengering.com\/en\/"},{"@type":"ListItem","position":2,"name":"How to protect your website against SQL injection attack?"}]},{"@type":"WebSite","@id":"https:\/\/avengering.com\/en\/#website","url":"https:\/\/avengering.com\/en\/","name":"Avenger IT Next Generation","description":"site web Concepcion","publisher":{"@id":"https:\/\/avengering.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/avengering.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/avengering.com\/en\/#organization","name":"Avenger It Next Generation","url":"https:\/\/avengering.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/avengering.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/avengering.com\/wp-content\/uploads\/2019\/03\/av-logo.jpg","contentUrl":"https:\/\/avengering.com\/wp-content\/uploads\/2019\/03\/av-logo.jpg","width":672,"height":156,"caption":"Avenger It Next Generation"},"image":{"@id":"https:\/\/avengering.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/avengering\/","https:\/\/x.com\/avengering1","https:\/\/www.instagram.com\/avengeritnextgeneration\/","https:\/\/linkedin.com\/company\/avengering","https:\/\/www.pinterest.fr\/kaviani0593\/","https:\/\/www.youtube.com\/channel\/UCVwQU9Tx51ptiSG-Z9MOOTQ"]},{"@type":"Person","@id":"https:\/\/avengering.com\/en\/#\/schema\/person\/e80dfbc504017eb0e76b7ff446000d1d","name":"kaviani siavosh","description":"Professor Siavosh Kaviani was born in 1961 in Tehran. He had a professorship. He holds a Ph.D. in Software Engineering from the QL University of Software Development Methodology and an honorary Ph.D. from the University of Chelsea. He has teaching backgrounds at Amirkabir University, Arak University, Azad University, Payam Noor University, University of Applied Sciences and Heriot-Watt University. as a full professor and an expert in the fields of industry and University that working for more than 30 years. My focus is on essential research and education based on research. I try to research first and accept the facts, so make a plan to operate the conclusion of researches. Siavosh Kaviani Scientific background: British computer society Iranian Information Society, Society of Electrical Engineers, ESA","sameAs":["https:\/\/avengering.com\/prof-siavosh-kaviani","https:\/\/www.facebook.com\/siavosh.kaviani","https:\/\/www.instagram.com\/siavoshkaviani\/","https:\/\/www.linkedin.com\/in\/siavosh-kaviani-14871044\/","https:\/\/www.pinterest.ru\/kaviani0593\/","https:\/\/x.com\/https:\/\/twitter.com\/avengering1","https:\/\/myspace.com\/siavosh.kaviani","https:\/\/www.youtube.com\/user\/MrSiavashkaviani\/videos","https:\/\/www.tumblr.com\/blog\/view\/siavosh","https:\/\/en.wikipedia.org\/wiki\/User:Siavosh_kaviani"],"url":"https:\/\/avengering.com\/en\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/avengering.com\/en\/wp-json\/wp\/v2\/posts\/4863"}],"collection":[{"href":"https:\/\/avengering.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/avengering.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/avengering.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/avengering.com\/en\/wp-json\/wp\/v2\/comments?post=4863"}],"version-history":[{"count":0,"href":"https:\/\/avengering.com\/en\/wp-json\/wp\/v2\/posts\/4863\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/avengering.com\/en\/wp-json\/wp\/v2\/media\/4871"}],"wp:attachment":[{"href":"https:\/\/avengering.com\/en\/wp-json\/wp\/v2\/media?parent=4863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/avengering.com\/en\/wp-json\/wp\/v2\/categories?post=4863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/avengering.com\/en\/wp-json\/wp\/v2\/tags?post=4863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}