II Database

SQLi Countermeasures

• Defensive coding
• Manual defensive coding practices (e.g., input type checking, pattern matching)
• Parameterized query insertion: more accurately specify the structure of an SQL query and pass the value parameters. (Pre-compiling a SQL statement)

• Detection
• Signature based: match specific attack patterns
• Anomaly based: define normal behavior then detect behavior patterns outside the normal range
• Code analysis: the use of a test suite to detect SQLi vulnerabilities

• Run-time prevention
• Check queries at runtime to see if they conform to a model of expected queries