Crash Magic uses the following strategies to prevent SQL injection attacks.
Database strategies - The following strategies should be implemented on your crash database and the Crash Magic system tables to prevent SQL injection attacks.
- Crash Magic only requires read access to the crash data - Crash Magic only requires select privileges to the crash data records. This prevents users from deleting or altering data crash data records. It also prevents code from being inserted into the crash database.
- The Crash Magic system database only requires select, delete and update privileges. - The recommended installation for the Crash Magic system tables is to install them on a separate database or schema. Limiting privileges on the Crash Magic system tables will prevent any execution of database procedures and code on most databases. This also limits the scope of an attack to just the Crash Magic database.
Crash Magic strategies - The following are strategies used by Crash Magic to prevent SQL injection attacks.
- Crash Magic uses parameters for database statements. - This restricts application users to only use the SQL statements defined in the program. The user can only enter parameters requested by Crash Magic. Admin users are able create other statements, but a user must be granted admin rights by a user that is already an admin on Crash Magic.
- All parameters are escaped when inserted into the database. - This means that the data inserted into the Crash Magic system tables may not resemble what the user typed in. Escaping characters helps allow the database to see items only as characters and not as a command.
- Only admin users have direct access to create SQL against the database. - Only admin users can create SQL statements that can run on the database. This restricts access to the database to only high level users. Access is also limited to the Crash Magic user account on the database. This further restricting the admin.
- Users without admin rights can not directly access queries on the database. - This restricts user access to queries that have already been created, and parameters that are escaped by Crash Magic.
People are always looking for new ways to exploit applications connected to the web. If you suspect an attack through Crash Magic, you should report this to Pd' Programming immediately.