Database security is extremely important in any application that has its own database. A database usually contained all sort of information even sensitive information such as user password. If the database is not secured properly, the entire application can be over-turned and the sensitive information can be stolen. We have many types of database such as MySQL, Oracle, MSSQL, PostgreSQL and many more and it is true that certain database offer a better security in different area. However, this write up is the top 8 methods to have a secured database generally.
1. Separate the web server application and database
If you are hosting a web application, the most economical way is to have both the web server application and the database in a single machine. This method is although economical, but not highly recommended. Both web server application and database should be separate to provide a better security. This will keep your database in safety as it will be placed in a single server where that server could be only opening the database port for your applications to connect. The lesser the port is opened, the safer your server is. The other advantage over here is that you can also have another layer of firewall for your database server.
2. Never use the DEFAULT database administrator credentials
There are some developer uses exactly the default administrator username and password. There are also some that uses the same username but a slightly more sophisticated password. But the rule here is, never use the default administrator credentials. Change your administrator username and password. The default administrator credentials are well-known by everyone and it should not be used.
3. Encrypt your entire database
This might sound ridiculous, but it is not impossible. Server nowadays are pretty fast and encrypting every input before storing into the database had become a very reasonable method for better privacy. You don’t have to do it the hard way by encrypting the data by yourself. Popular database such as MySQL, MSSQL and Oracle comes with this feature that might require additional steps in setting up your database. Encrypting your database also makes the value stored not readable without performing a decryption.
4. Making use of HASH function
Some of the sensitive information you might not need to know. You might only need to store because when you need to authenticate the user, you need to do a comparison. What I am trying to say here is the user password. Hash them as you do not need to know them. The lesser people know about the password, the better the security. In addition to that, you can hash the password for each user with a different hash key. This will make even two or more user have the same password, but the hash value stored is different.
5. Use prepared statements
If you are writing your application on top of Java or .NET, you should use prepared statements before querying a SQL statements. Using prepared statements helped to secured your application from SQL injections. SQL injections is one of the popular website attack and full consideration should be put to prevent it. SQL injections can be so deadly that it can crashed your entire database and thus, we could use a prepared statements. Although it is claimed that using prepared statements can slightly reduced the database performance, but it is worth the doing unless you plan for another method to prevent SQL injections.
6. Write a stored procedure
Writing a stored procedure is another method to prevent SQL injections. This method however have a higher learning curve over prepared statements method but if the time and resources allowed, having a stored procedure for your database query is going to give your application a great value. This is because having a stored procedure not only secured your application from SQL injections, but also it speed up your database query speed. As a conclusion to this, your application can perform faster and more secure than an application that does not use a stored procedure.
7. Validate all input
One thing about web application is that, there are many input. Validating the input is one crucial thing. Validation should be done at both the client and the server side. Validation also should be done not only input from text box, but also combo box, list box, text area and any other kind of possible input. The purpose is to escape as many unused symbols or special characters. The other purpose is to provide first level protection from SQL injection before the data reach the database processing layer.
8. Use less GET parameters
Another way of injecting SQL injection is to make use of the URL where many developer love to pass their parameter through GET parameters. It is understandable that GET parameters is an easier way to pass certain parameter from page to page. But do need to take note is that, pass all the variables via GET parameter only the variable is not sensitive and if possible, it does not directly inject into database. You can also use URL rewrite but why cure when you can actually design a system that can prevent as many GET parameters as possible.
Conclusion to Database Security
If you realize, there are not only eight methods to protect your database efficiently. However, this eight could be the beginning of your stepping stone to have a secured database security.