344 Chapter 14 ■ SQL Injection
■ Exercise least privilege and give the database and the applications that attach to it only
the access they need and nothing more.
■ Ensure that applications are well tested before deployment into production.
■ Avoid default configurations and passwords.
■ Disable error messages outside the test and development environments.Summary
This chapter explored SQL injection attacks and how they function. I discussed these
attacks and showed you how to defend against them. You learned that SQL injection is one
of the most complex and powerful types of attacks seen today. Attacks designed to use or
leverage SQL can be devastating. To carry out such an attack, you need to have knowledge
of web applications, databases, and SQL.
SQL Injections can be very complex and dangerous when in the hands of a skilled
attacker. With a few lines of code an attacker can easily destroy, delete, or modify data
with relative ease. An extra skilled attacker can even send commands directly to the
operating system itself performing even more dangerous operations up to and including
privilege escalations and the installation of software.Exam Essentials
Understand the various types of databases. Know the various types of databases, includ-
ing hierarchical and relational, each of which stores information a little differently.Know the mechanics of SQL injection. Know the basics of SQL injection attacks and how
they work. Know that while different databases may have different syntax and structure,
SQL injection attacks have common operating characteristics.Understand how web applications use databases. Know that many web applications
rely on a database in which the application stores its data, configuration, and other
information.