Database

- We talked about a couple of the potential issues with databases from other perspectives, but databases and other backing services are used in multiple ways for targeted attacks. Let's start our discussion once again with SQL injection attacks. I mentioned these attacks when we discussed user input validation, and indeed that is a good mitigation for these attacks. Another good mitigation is using frameworks or strategies to connect to databases. SQL statements should include bind variables and parameters. Now you can write full statements or use bind variables. Creating full statements is susceptible to injection attacks because these statements are often concatenated with user input strings like in our previous example, but when you use bind variables and parameters, you remove that risk because of how the drivers will create the statement for you and escape any text. Using a bind variable allows you to place a variable in the statement where you expect the user input to be added…