Our web applications handle dynamic user inputs daily. What are the best practices for securing a relational database system in a production environment against SQL injection vectors at the database configuration level? We want a robust server-side defense mechanism.
3 answers
While code fixes are essential, your database engine configuration serves as a vital firewall against malicious input injections. You must ensure that the application connects using an account limited strictly to execute parameterized stored procedures or explicit CRUD commands on specific views. Completely block dynamic SQL execution context within your routines. Disable unnecessary internal features, and strip public read permissions from internal master system catalogs to prevent metadata harvesting.
Would implementing a Web Application Firewall at the network periphery provide sufficient protection alongside these internal database hardening steps?
Make sure you never display detailed database engine error messages back to the client interface, as this leaks crucial internal architectural structure info.
Hiding stack traces is essential. Malicious actors use those system error descriptions to map out database tables and orchestrate targeted injection scripts.
Louis, a WAF is a great exterior shield because it screens incoming HTTP traffic for signature web patterns. However, it should never replace database-level controls. A comprehensive defense-in-depth architecture demands both an exterior network filter and strict internal security configurations to stop internal threats or missed signatures.