SQL Injection Protect from Postgres Plus

SQL Injection is method of Hacking Data inside the Database.

Using SQL Injection, Hackers do multiple Attempt of SQLs to understand the Structure of tables and Try to get the hint of data inside a table.

For example, if a Hacker knows that UserName and Password of a Website are stored in a database table say member, then he can write query something like given below to fetch all the data inside the function as given below:
select * from tablename where 1=1;
Or
select * from tablename where 'x'='x';
Similarly, suppose Hacker wants to know the structure (Columns) of any table, then he can try multiple attempts of finding the column name by using the HAVING OR GROUP BY CLAUSE and can find the Columns Names Based on Error.
As given below:
postgres=# select * from test_sql_injection group by 1 having 1=1;
ERROR:  column "test_sql_injection.col" must appear in the GROUP BY clause or be used in an aggregate function
LINE 1: select * from test_sql_injection group by 1 having 1=1;
As we can See through Error Message, a hacker can find the columnname of table test_sql_inject, by doing the multiple attempts of such query.

Similarly if hackers wants to know about the datatype of a columns then, he can write query some thing like given below to find the datatype:
postgres=# select * from test_sql_injection UNION SELECT 1,1;
ERROR:  UNION types text and integer cannot be matched
LINE 1: select * from test_sql_injection UNION SELECT 1,1;

In above error Message, Hacker can see that Message is informing him that second column is of type text and he has passed integer.

There are many ways SQL Injection can be done by Hackers to guess the tablename, structure of table and data.

Cheat Sheet of such SQL Injection is given in following link:
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/#SyntaxBasicAttacks


Till now, such SQL Injection, used to be taken care by some Application Layer or by using parameterized queries/prepare statements.

To protect Databases from such SQL Injections, EnterpriseDB has introduced a Module called SQL/Protect, which is developed by Jim Mlodgenski, Chief Architect EnterpriseDB.

This module comes with Postgres Plus Standard Server 9.0 and Postgres Plus Advanced Server 8.4.

To enable this feature, user has to make following changes in postgresql.conf file of PPAS data directory:
shared_preload_libraries = '$libdir/plugins/plugin_debugger,$libdir/plugins/plugin_spl_debugger,$libdir/sqlprotect'
custom_variable_classes = 'edb_sql_protect'     # list of custom variable class names
edb_sql_protect.enabled = on
edb_sql_protect.level = learn
edb_sql_protect.max_protected_roles = 64
edb_sql_protect.max_protected_relations = 1024

After setting the above parameters, restart the PG instance.
and execute the share/contrib/sqlprotect.sql file using psql command as given below:
psql -f "PPAS Installation Directory"/contrib/sqlprotect.sql dbname

For more information and Examples, please refer the following link of Advanced Server.
http://www.enterprisedb.com/docs/en/8.4/asguide/Postgres_Plus_Advanced_Server_Guide-09.htm#P1013_58469

Comments

Post a Comment

Popular posts from this blog

Does UPDATE Change ROWID in Oracle?

Yesterday, there was a discussion which was going on OTN (Oracle Forum). I was also part of that discussion. Discussion was about the "Does UPDATE statement change rowid in Oracle?" As per my comment of "UPDATE does not change rowid", one of the user has pointed me that UPDATE statement sometime changes the rowid in Oracle and given me following example. SQL> ed Wrote file afiedt.buf 1 create table moving_rowid ( 2 col1 number primary key, 3 col2 number, 4 col3 number, 5 col4 varchar2(10) 6 ) 7* organization index SQL> / Table created. SQL> insert into moving_rowid values( 1, 2, 3, 'foo' ); 1 row created. SQL> insert into moving_rowid values( 2, 3, 4, 'bar' ); 1 row created. SQL> select rowid, col1, col2, col3, col4 2 from moving_rowid; ROWID COL1 COL2 COL3 COL4 ---------------- ---------- ---------- ---------- ---------- *BAEADxsCwQL+ 1 2
Read more

PostgreSQL Database Link to Oracle Database on Linux

I have seen question, like "How to make Database Link from PostgreSQL to Oracle?", always floats in PostgreSQL Community Forum. So, I thought to do some research on it and write a Blog. Cybertec (One of The PostgreSQL Database Company) has released a PostgreSQL Module ODBC Link, using which user can make Database link to any other database, including Oracle, MS SQL Server, PostgreSQL etc, which have ODBC compliant Data source. Lets see how you can make ODBC Connection from PostgreSQL to any ODBC compliant data source and fetch data. Installation of this module is very simple. Following are the steps which user can follow: 1. Install the unixODBC driver on your linux machine. user can use following useful link for Downloading and Installing the unixODBC Driver: http://www.unixodbc.org/ 2. Download ODBC-Link from following location: http://www.cybertec.at/download/odbc_link/ODBC-Link-1.0.4.tar.gz 3. Untar the downloaded file as given below: tar -zxvf ODBC-Link-1.0.4.
Read more

Fix of "ORA-29275: partial multibyte character"

This happened to me when I was trying to migrate the Oracle Database to Advanced Server & PostgreSQL. This kind of error comes if Data in Oracle have some junk/invisible Characters which conversion is unknown. select * from junk_character; 'ORA-29275: partial multibyte character' Oracle Descritption for this error is given below: ORA-29275: partial multibyte character Cause: The requested read operation could not complete because a partial multibyte character was found at the end of the input. Action: Ensure that the complete multibyte character is sent from the remote server and retry the operation. Or read the partial multibyte character as RAW. Which doesn't give much information. To find the the column and rows which have those junk/invisible character user can try following trick. a. Select the data column wise as given below: select col1 from tablename; select col2 from tablename; If you are sure about the columns which has those junk charac
Read more