Any site that uses a database backend needs to be very aware of how easy a SQL injection attack is, just do a search on youtube and you’ll find loads (well, just under 800). For a good (and easy to read) book explaining how to protect against SQL injection (using PHP & MySQL 5) check out this book
For those of you who want to take a belt-and-braces approach to your website back end security an interesting option is GreenSQL.
GreenSQL is an Open Source database firewall designed to protect databases from SQL injection attacks. It works as a proxy.
GreenSQL uses a risk scoring matrix as well as blocking known database admin commands such as DROP and CREATE.
It is released under the GPL license, and comes ready packaged for Debian, Ubuntu, Redhat (and rebuilds) and FreeBSD distros.
Installation
Installation is fairly simple
- Download the greensql-fw package (here)
- Install
- Set up the configuration database (/usr/sbin/greensql-config – using either MySQL or PostgreSQL) to store alerts and the configuration
- Start the firewall (/etc/init.d/greensql-fw start)
- Load up the web-based management tool
- Validate the settings (mysql -h 127.0.0.1 -P 3305 -u root -p)
- Change your PHP code to point to the firewall
Once you have reached step 6 (Validate) you can type a show databases; command, and (if everything is set up correctly) you will get this result:
Query OK, 0 rows affected (0.00 sec), this shows that GreenSQL is blocking the command.
Changing the PHP code is easy as well, if your existing connection details show as: $link = mysql_connect('localhost', 'mysql_user', 'mysql_password');, just change it to $link = mysql_connect('127.0.0.1:3305', 'mysql_user', 'mysql_password');, and you are all set.
We like this very much. Check it out here.
[...] (Original article here) [...]