Products
  
  
  Crash Magic Online
  
  Intersection Magic
  
  Map Magic
  
  Knowledge Base
  
  
  
  Contact Us
  
  Meeting
  
  Shop
  
  Login
  

 

Knowledge Base Article:CMO186 


Registration keys moved to client area: Select login on the left menu bar.

Knowldegebase:
Search home page  

Crash Magic strategies to prevent SQL injection attacks.

Article created: Mar 07 2007, updated: Mar 08 2007

Background:  This article describes some of the strategies that Crash Magic uses to prevent SQL injection attacks to a database.

Status:  Info - functionality description
Keywords:  sql,injection,hack,hacking
Categories:   *Article - references*

Explanation:

SQL injection attacks happen when a user tries to insert malicious code into an application field in order to have the database execute the code.



Solution:

Crash Magic uses the following strategies to prevent SQL injection attacks.

 Database strategies - The following strategies should be implemented on your crash database and the Crash Magic system tables to prevent SQL injection attacks.

  • Crash Magic only requires read access to the crash data - Crash Magic only requires select privileges to the crash data records. This prevents users from deleting or altering data crash data records. It also prevents code from being inserted into the crash database.
  • The Crash Magic system database only requires select, delete and update privileges. - The recommended installation for the Crash Magic system tables is to install them on a separate database or schema. Limiting privileges on the Crash Magic system tables will prevent any execution of database procedures and code on most databases. This also limits the scope of an attack to just the Crash Magic database.

Crash Magic strategies - The following are strategies used by Crash Magic to prevent SQL injection attacks.

  • Crash Magic uses parameters for database statements. - This restricts application users to only use the SQL statements defined in the program. The user can only enter parameters requested by Crash Magic. Admin users are able create other statements, but a user must be granted admin rights by a user that is already an admin on Crash Magic.
  • All parameters are escaped when inserted into the database. - This means that the data inserted into the Crash Magic system tables may not resemble what the user typed in. Escaping characters helps allow the database to see items only as characters and not as a command.
  • Only admin users have direct access to create SQL against the database. - Only admin users can create SQL statements that can run on the database. This restricts access to the database to only high level users. Access is also limited to the Crash Magic user account on the database. This further restricting the admin.
  • Users without admin rights can not directly access queries on the database. - This restricts user access to queries that have already been created, and parameters that are escaped by Crash Magic.

People are always looking for new ways to exploit applications connected to the web.  If you suspect an attack through Crash Magic, you should report this to Pd' Programming immediately.


January 23, 2018 12:25PM

© 1999-2018 Pd' Programming, Inc - Lafayette, CO USA