SQL injection attacks are amongst the most common and most dangerous attacks used to exploit the web applications. The reason is simple: The clever SQL injection attack might allow the bad guys to insert a third party content to blogs and forums, and enables them to retrieve the confidential information
using little more than the ordinary web browser. In most of the causes the fault lies with the developers who don’t bother ( or don’t have the time ) to properly validate the user input gathered from website forms and API calls.
If you’re developing an web 2.0 application you’re most probably linking it with the underlying SQL database in order to interactively store and retrieve the website content. Now you might have a thousand reasons for skipping the proper validation of the data, it could either be your boss rushing you and demanding to complete the project before the unrealistic deadline, you might not be aware of the threads or leaving it for the post-release cleanup that is supposed to happen soon but eventually will not get implemented at all due to the change of plans.
However, if you do care about the proper implementation you’re pretty much forced to write your custom routines to handle all the causes. Of course, in different languages there’s different libraries to help you achieving the task but a certain amount of work is still left to be done and even though you might be as meticulous as you possibly can, you could still end up with incomplete validation process. There’s a few reasons for this and probably the most significant one here is the fact that there’s a lot you have to know about different attacks and new exploitation techniques are discovered on a daily basis.
Phew! Yes, you might think it’s all truisms as many people claim that there are no perfectly save systems/applications and every new way of preventing intruders from accessing your data will eventually get circumvented by the clever hackers. I guess, the biggest problem with validating your data is that you pretty much have to do some work on it with every project you’re working on, and even after having created an appropriate library to do the job ( or taking one from the Net) you might still have to bug fix and maintain it. The other problem with the libraries might be that the maintainer might decide to ditch the project due to lack of time or interest and you could end up being left on your own on bug fixing the library that your “old app” is still using. If you’re requiring some extra ( and instant security ) or are getting slightly paranoid ( just like I am ), you might want to take a look at the GreenSQL project.
What is GreenSQL?
GreenSQL is a database proxy that supports both MySQL and PostgreSQL. The way it works resembles a little the way the SpamAssassin does. All the SQL queries that your application is invoking on the database, go first to this proxy server that validates and evaluates them. It’s got the typical for SpamAssassin black- and whitelists, it has the ‘learning’ mode that allows it to effectively recognise the normal database queries from the malicious SQL. It can also block the administrative commands that are usually not required by the web application to function such as DROP TABLE or DROP DATABASE. On top of that there’s a friendly web interface that will help you fine tuning and amending the white/blacklists and other options.
If you think you could do with some extra security this might be one of the options for you to consider. Compared with the code improvements to your app, it takes significantly less time to set up and run. Obviously, It’d be very silly indeed to encourage people to ditch their app based user input validation and solely rely on GreenSQL or the likes, but it is a very helpful addition to the effort of preventing unprivileged access to your data.
Nothing’s perfect – according to the tests made by the GreenSQL folks, the performance might drop by 2-12%, however this shouldn’t have any impact on most of he web applications out there ( small and medium ). You can find more information on this subject over here.
GreenSQL is an open source effort and is being released under the GPL license.
The current version is 1.2.2-17.1, and overall GreenSQL was downloaded over
30k times since the project started.
The GreenSQL documentation is available here.