By using SQL injection technique, a hacker can easily enumerate the target database to gain sensitive information such as username, password, etc. SQL injection is not always successful. Not all website is vulnerable to SQL injection. Some website with input validation in their form will not be easily injectable.
An SQL injectable website will result in following pages (or similar) when you input " ' " (Single Quotation Mark). This is the example of SQL injection vulnerable website :
This website do not have input validation in their log in form so when a " ' " (Single Quotation Mark) is inputed, the code will consider this input to be an SQL query which result in the above error page.
This means the hacker can exploit the database and in worst case scenario the hacker can take the ownership of the website.
With this SQL injection threat, it is highly encouraged for web developer to develop a web site with SQL injection defines such as :
- Input Validation in Log in Form
- Use Web Application Firewall
- Limit Database Privileges
Tidak ada komentar: