Network Box has issued advice to customers on protecting against SQL injection attacks who operate public web servers to exercise caution, particularly those accessible over the internet.
It said that SQL injection attacks are extremely hard to stop at the gateway, as the attacks come from within a genuine application that has been exploited. It claimed that while intrusion detection and prevention systems can block many exploits, these types of systems can only offer limited protection in the case of private, internal applications.
Simon Heron, internet security analyst at Network Box, said: “Our intrusion detection system can identify known SQL injection exploits, with application-specific and worm-specific protection modules. But many companies use private or closed applications that can't be protected in this way, and they need to ensure that they are secure.”
Network Box advised companies to deploy three main methods to prevent such attacks. In addition to checking up-to-date patches for applications; use ‘parameterised' SQL statements and put clear parameters into SQL instruction; validate each parameter ID; and use ‘escape' parameters before insertion to the SQL statement.