Recently, I received a website inquiry asking about SQL and XML injections and decided to share my response here to help others with the same questions.
What is a SQL injection?
A SQL injection is when someone injects, or inserts a SQL query using a meta character in a website’s form field to gain access to sensitive data in a database, make changes to a database, or otherwise exploit a database or a website that is powered by a database. This is a known vulnerability and can wreak havoc on a website and the database that powers the website. This has been used on websites to insert malicious code, redirect a website to another website, and more. Often, older versions of PHP or SQL contribute to this type of vulnerability because of known security issues. This can become an problem when programmers write code and then do not update the code to keep up with the latest releases. Form validation and limiting what can be entered in fields is extremely important because any fields on a website, can make a site vulnerable.
What about XML?
With XML, what’s known as XML External Entity Injection (XXE) occurs when an external entity is referenced to reveal information during the XML parsing process. This could include server files, data including private user data, port scanning, and more. Additionally, XXE attacks could result in overwhelming computer resources when external entities reverence each other and overloads the server’s memory.
“How do I prevent upload vulnerabilities?”
Your second question, “How do I prevent upload vulnerabilities” is a bit trickier to answer. The Open Web Application Security Project is a great resource. Here are some links that I hope will help.
If you have your own website and want to be able to update it easily while keeping it safe, you might consider a WordPress framework. You can easily run WordPress on your website’s server. WordPress can be downloaded from https://wordpress.org and runs best and is most secure on Linux servers with SQL database access. Many web hosting providers offer a simple application install for WordPress. If you do install WordPress, be sure to install the Wordfence Security plugin ( https://wordpress.org/plugins/wordfence/ ) which scans websites, alerts to vulnerabilities and needed updates, and protects against unauthorized access.
Also, if you use forms on your site, you may want to integrate Google’s recaptcha to protect your site from spam form submissions https://www.google.com/recaptcha/intro/v3.html .
I hope this helps demystify some known and widely reported security vulnerabilities on websites.