Subscribe by Email

Your email:

Browse By Date

Biometric Security and Control Blog

Current Articles | RSS Feed RSS Feed

SQL Injection—What It Is and How to Prevent It Using Biometrics


SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application.  This vulnerability is present when user input is manipulated for string literal escape characters embedded in SQL statements or user input is not sufficiently filtered and thereby unexpectedly executed.  With the aid of Web Proxy Tools, filtering cannot be guaranteed.  SQL injection is, in fact, an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.  This condition results in the potential manipulation of the statements performed on the database by the end user of the application which violates security policy.  Such manipulation is difficult to detect since there is usually no error being reported when this happens.

The following line of code illustrate how this vulnerability can be executed.

statement: "SELECT * FROM users WHERE name = '" + userName + "';"

This SQL code is designed to pull up the records of a specified username from its table of users; however, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may be able to retrieve more than the code the sender intended.  For example, setting the "userName" variable as a' or 't'='t renders this SQL statement by the parent language:

SELECT * FROM users WHERE name = 'a' OR 't'='t';

Biometrics in general can prevent attacks like this, so long as the biometric system can replace the password and use of a password field.  Any Biometrics system that does not take a user name or password as an input parameter and is able to resolve the identification of users can be effective as a preventative measure against this type of attack.  A fingerprint biometrics system like TEAMS® counters this type of attack as the TEAMS® authentication method does not utilize a password or password field for identification purposes.  Therefore, wherever the TEAMS® authentication method is employed, the possibility of SQL Injection is eliminated.

The use of the TEAMS® authentication method complements other protective measures taken to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) Requirement 6.6.
All Posts