+- Python Forum (https://python-forum.io)
+-- Forum: Python Coding (https://python-forum.io/forum-7.html)
+--- Forum: General Coding Help (https://python-forum.io/forum-8.html)
+--- Thread: Better Understanding of Security and injection attacks SQLite (/thread-17265.html)
Better Understanding of Security and injection attacks SQLite - KevinBrown - Apr-04-2019
From Sebastian Raschka's excellent document A thorough guide to SQLite database operations in Python.
I would like to better understand the risk from injection attacks and have laid out several questions.
If you can assist by only answering one of these don't hold back from posting a reply.
Quote:For example, if our database would be part of a web application, it would allow hackers to directly communicate with the database in order to bypass login and password verification and steal data.
In order to prevent this, it is recommended to use ? place holders in the SQLite commands instead of the % formatting expression or the .format() method, which we have been using in this tutorial.
For example, instead of using
Quote:However, the problem with this approach is that it would only work for values, not for column or table names. So what are we supposed to do with the rest of the string if we want to protect ourselves from injection attacks? The easy solution would be to refrain from using variables in SQLite queries whenever possible, and if it cannot be avoided, we would want to use a function that strips all non-alphanumerical characters from the stored content of the variable, e.g.,
def clean_name(some_var):
return ''.join(char for char in some_var if char.isalnum())
Do hackers use a password / login entry widget to inject a hacking script?
Do hackers use any entry widgets in GUI screens to inject hacking scripts?
With regard to table names and column names, I'm not clear on the recommendation given above.
For example if I have a table named 'CarTypes_01' and columns 'ColManuf_01' 'ColLocn_02' how do I protect these in queries?
Do hackers get to see the design structure of the database and is this the main risk?
Can I make SQLite 100% secure against such attempted hacks?
RE: Better Understanding of Security and injection attacks SQLite - Legomancer - Apr-09-2019
Hi Kevin. I recently learned about database security. For full disclosure it was with PHP to render a website instead of Python, MySQL database instead of SQLite, and SQL to query the database.
Quote:Do hackers use a password / login entry widget to inject a hacking script?If by “widget” you mean a textbox for a form then yes, someone could attempt to enter malicious code into it. I guess it depends what characters the textbox is set up to accept
Quote:Do hackers use any entry widgets in GUI screens to inject hacking scripts?if by “entry widgets” and “GUI screens” you mean a form on a website then yes
Quote:With regard to table names and column names, I'm not clear on the recommendation given above. For example if I have a table named 'CarTypes_01' and columns 'ColManuf_01' 'ColLocn_02' how do I protect these in queries?It sounds like the security measures mentioned in the book should protect the whole database including its tables and columns within it
Quote:Do hackers get to see the design structure of the database and is this the main risk?I dont know what you mean by “design structure”. hackers probably guess what kind of database you are using and try all kinds of code inputs until one works. Taking security measures described in the book will hopefully make it harder for attackers to guess what code to stick in a textbox
Quote:Can I make SQLite 100% secure against such attempted hacks?I’ve heard that security experts dont like to quantify safety as %, they prefer to say “likelihood”. Securing a website as described in the book will make it “less likely” to get hacked