LinkBack URL
About LinkBacksHello All,
I want to know how can I protect the websites hosted on Cpanel server against SQL injections. There are a few websites which are being infected with SQL injections, some of them being pure html pages.
SQL Injection
Hello All,
I want to know how can I protect the websites hosted on Cpanel server against SQL injections. There are a few websites which are being infected with SQL injections, some of them being pure html pages.
Three things you can do to keep yourself safe:
(1) Install mod_security and get a set of rules that block sql injections;
(2) Switch to using suphp if you don't already as it will stop them learning other sql passwords from your server;
(3) Install the configserver.com firewall CSF which will block anyone trying repeated sql injections (ie anyone raising repeated mod_security alerts). This will block anyone repeatedly trying to hack you, which minimizes your exposure.
My experience with SQL injection blockers is that they are a mixed blessing. SQL uses keywords that appear all the time in ordinary English like "select", "insert", and so on, and the blocker installed where I worked wasn't tuned perfectly to recognize true SQL. Sometimes it blocked legitimate input. Also, everything could be working fine but we'd get an update from the blocker vendor and it would break something. So you might want to try SQL blockers, but they may or may not work well for you.
Another option is to have a meeting with the users and go over the issues. If they design their web forms with security in mind, they can prevent any SQL injection by never allowing anything that comes in from a web page to be executed against a database. This is not hard to do, it just requires that you stop thinking like a decent human being and think instead like a hacker - how could I put something in this form that will cause a problem. [I know, it's sad.]
If their current web processing allows SQL injection (which it obviously does) this will require some work on the programmer's part to fix. But it will also sensitize them to what the issues are and help them to design their future web forms more securely.
If, on the other hand, the users have gotten their web pages from somewhere else and don't have the expertise to fix the problem, then I guess there's no option but to use an injection blocker.
Good luck.
Alan
All Alan has said is great advice. The only thing I'd add is that, if you use a reasonable set of rules, you will get many of the injection attacks. If you use an overly strong set of rules, you'll also block legitimate application use.
With the set of mod_security rules we use, the protection isn't absolute but we've had only one false positive in the last year or so.
There's simply no substitute for fixing the application!
Reply With Quote