Posts

Recently, I received a website inquiry asking about SQL and XML injections and decided to share my response here to help others with the same questions.

What is a SQL injection?

A SQL injection is when someone injects, or inserts a SQL query using a meta character in a website’s form field to gain access to sensitive data in a database, make changes to a database, or otherwise exploit a database or a website that is powered by a database. This is a known vulnerability and can wreak havoc on a website and the database that powers the website. This has been used on websites to insert malicious code, redirect a website to another website, and more. Often, older versions of PHP or SQL contribute to this type of vulnerability because of known security issues. This can become an problem when programmers write code and then do not update the code to keep up with the latest releases. Form validation and limiting what can be entered in fields is extremely important because any fields on a website, can make a site vulnerable.

What about XML?

With XML, what’s known as XML External Entity Injection (XXE) occurs when an external entity is referenced to reveal information during the XML parsing process. This could include server files, data including private user data, port scanning, and more. Additionally, XXE attacks could result in overwhelming computer resources when external entities reverence each other and overloads the server’s memory.

“How do I prevent upload vulnerabilities?”

Your second question, “How do I prevent upload vulnerabilities” is a bit trickier to answer. The Open Web Application Security Project is a great resource. Here are some links that I hope will help. 
https://www.owasp.org/index.php/Category:Vulnerability
https://www.owasp.org/index.php/SQL_Injection
https://www.wikihow.com/Prevent-SQL-Injection-in-PHP
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

If you have your own website and want to be able to update it easily while keeping it safe, you might consider a WordPress framework. You can easily run WordPress on your website’s server. WordPress can be downloaded from https://wordpress.org and runs best and is most secure on Linux servers with SQL database access. Many web hosting providers offer a simple application install for WordPress. If you do install WordPress, be sure to install the Wordfence Security plugin ( https://wordpress.org/plugins/wordfence/ ) which scans websites, alerts to vulnerabilities and needed updates, and protects against unauthorized access. 

Also, if you use forms on your site, you may want to integrate Google’s recaptcha to protect your site from spam form submissions https://www.google.com/recaptcha/intro/v3.html .

I hope this helps demystify some known and widely reported security vulnerabilities on websites.

Photo Courtesy of Shel Rogers Photography | Clovis NM

Photo Courtesy of Shel Rogers Photography | Clovis NM

Online privacy and the passage of the General Data Protection Regulation (GDPR) in the European Union (EU) has been in the news lately.

Read more

I love what I do. Even more, I love sharing what I know to help others with their websites. Today, I had an opportunity to chat with my daughter who is working on her documentary photography website.  We took the time for a little Q&A about WordPress and why I use it for a lot of my sites so we could pass the info along to anyone who might be interested. Read more