Using Raw SQL Queries
SQL queries are used for interacting with databases. These queries have a set format. It is possible to write queries in multiple ways. Some methods allow users to specify the parameters of the queries. Such SQL statements are called raw queries. Other methods permit users to input values for predefined parameters, only. Queries structured this way are known as parameterized queries. Allowing users to specify parameters is risky. An attacker can perform attacks like ‘SQL injection’ that harm databases. Let’s go through a typical sequence of events to understand how a malicious activity of this sort could be carried out.
A database contains a table that consists of usernames and passwords. A raw SQL query is used for filling up values in the table. An attacker provides a legitimate value as username but writes a query that would drop the entire table, as the value for password. The query is still correct syntax wise. Upon execution, the table drops and its data, lost.
Using parameterized queries is the solution. Users can specify only values (one word) for the query’s predefined parameters. It is not possible to write another query under the guise of filling in a value. Users are not allowed to add a parameter from there end either. Furthermore, all the user inputs shall be validated. Input validation verifies syntax and rejects incorrect data.