Hacking websites: SQL injection and Cross Site Scripting

Maintaining the security of your websites is not easy. You need to take care that SQL injection or cross site scripting does not take place. Many young programmers make such mistakes and bad hackers can hack your website in no time.

SQL Injection relies on malicious SQL statements being inserted in the database. Something along the lines of DROP_TABLE which would delete the info in the database.

But where and how can you insert such SQL statements? Tom Scott (YouTube) explains that if you were to put: SELECT * FROM USERS WHERE USERNAME Tom”; DROP ALL DATABASES; , and if your website is not able to put the quote marks right, then it will insert those extra commands in the database and it will delete it.

That above is just an example. It means that if you insert the following string into a search field then it may do damage if the site is not well protected: Tom”; DROP ALL DATABASES;

The main way to protect your site around it is escaping, a method that asks the programmer to insert a slash ( a backslash actually – \\ ) before dangerous characters like semicolon ( \;) or quote mark (\”) and this way the database will be safe. All programmers should use prepared statements, a way to tell the database that any info send via the forms should be treated as simple data and not as a command.

Now, about cross site scripting. Tom Scott explains that cross site scripting is the number one vulnerability on the web today.

The solution is to convert dangerous characters like < into a text like \&lt\; in order to NOT send over instructions to the server this way. Everything you insert in the search boxes will be seen as plain text. If you do not do that and then insert a javascript code int he search box, then the browser will execute that code. Since javascript can control everything in a webpage and since the browser does what this code asks, many mallitious programs can be run this way. More info below:

No comments yet... Be the first to leave a reply!