SQL Injection Protection Framework
SQL Injection Protection Framework
Overview
HeliosDB implements a comprehensive, multi-layered SQL injection protection framework that provides defense-in-depth against all classes of SQL injection attacks.
Current Security Grade: 9.0/10 (Target achieved)
Architecture
Layer 1: Input Validation (heliosdb-security)
All user inputs are validated before being used in queries:
use heliosdb_security::input_validator::{InputValidator, Value};
let validator = InputValidator::new();
// Validate identifiers (table/column names)let table = validator.validate_identifier("users")?;
// Validate literal valueslet value = Value::String("user input".to_string());validator.validate_literal(&value)?;Key Features:
- Strict identifier validation (alphanumeric + underscore only)
- SQL keyword detection and quoting
- Null byte detection
- Length limits (63 chars for identifiers, 1MB for strings)
- Dangerous pattern detection (semicolons, comments, etc.)
Layer 2: Pattern Detection (heliosdb-security)
The SQL injection detector analyzes queries for attack patterns:
use heliosdb_security::sql_injection_detector::SqlInjectionDetector;
let detector = SqlInjectionDetector::new();let result = detector.analyze(user_input);
if result.should_block() { return Err("SQL injection attempt detected");}Detected Attack Patterns:
- Tautology-based injection (OR 1=1)
- UNION-based injection
- Stacked queries (semicolon injection)
- Comment injection (—, /*, #)
- Time-based blind injection (SLEEP, WAITFOR)
- Boolean-based blind injection
- Error-based injection
- Command execution attempts (xp_cmdshell, etc.)
- Out-of-band injection (LOAD_FILE, INTO OUTFILE)
- Encoded injection (URL encoding, hex encoding)
Threat Levels:
- Normal: No threat detected
- Low: Suspicious patterns (logged)
- Medium: Likely attack (warned)
- High: Definite attack (blocked)
- Critical: Advanced attack (blocked + alerted)
Layer 3: SQL Security Validation (heliosdb-protocols)
Comprehensive SQL validation before execution:
use heliosdb_protocols::sql_security::SqlSecurityValidator;
let validator = SqlSecurityValidator::new();validator.validate(sql_query)?;Protection Features:
- Injection pattern matching (13+ patterns)
- Dangerous pattern detection (5+ patterns)
- Blacklisted keyword blocking
- Optional parameterization enforcement
- Query length limits (100KB default)
- Context extraction for error reporting
Blacklisted Operations:
xp_cmdshell- Command executionsp_executesql- Dynamic SQL executionLOAD_FILE- File system accessINTO OUTFILE/DUMPFILE- File writingSLEEP/WAITFOR/DELAY- Timing attacks
Layer 4: Type-Safe Query Builder (heliosdb-sql-builder)
Compile-time safe query construction using Rust’s type system:
use heliosdb_sql_builder::*;
let query = select_all() .from(SafeIdentifier::new("users")?) .where_eq( SafeIdentifier::new("id")?, Parameter::from(user_id) ) .build();
// Generated SQL: "SELECT * FROM users WHERE id = $1"// Parameters: [user_id]Guarantees:
- All identifiers validated at construction time
- All values bound as parameters
- No string concatenation possible
- Type-safe state machine prevents invalid queries
- Compile-time prevention of SQL injection
Safe Identifier Rules:
- Must start with letter or underscore
- Contains only alphanumeric and underscore
- Maximum 63 characters (PostgreSQL limit)
- SQL keywords automatically quoted
Layer 5: Parameterized Queries (Everywhere)
All query execution uses parameterized queries by default:
// SAFE - Parameterized queryexecute_query( "SELECT * FROM users WHERE id = $1 AND status = $2", &[user_id, status])?;
// BLOCKED - String concatenation (lint error)execute_query(&format!( "SELECT * FROM users WHERE id = {}", user_id))?; // Compilation warningAttack Vector Coverage
OWASP Top 10 SQL Injection Categories
| Attack Type | Status | Detection | Prevention |
|---|---|---|---|
| A01:2021 - Broken Access Control | Protected | Pattern matching | RLS + RBAC |
| A03:2021 - Injection | Protected | Multi-layer | All layers active |
Specific Attack Techniques
UNION-based Injection
- Detects UNION SELECT patterns
- Blocks column enumeration
- Prevents data exfiltration
Boolean-based Blind Injection
- Detects tautologies (OR 1=1)
- Blocks boolean logic manipulation
- Prevents conditional extraction
Time-based Blind Injection
- Blocks SLEEP/WAITFOR/BENCHMARK
- Detects pg_sleep attempts
- Prevents timing attacks
Error-based Injection
- Sanitizes error messages
- Blocks CAST/CONVERT exploitation
- Prevents information leakage
Stacked Query Injection
- Blocks semicolon separators
- Detects multiple statements
- Prevents command chaining
Second-order Injection
- Validates stored data before use
- Parameterizes retrieved values
- Context-aware escaping
NoSQL Injection (via protocol handlers)
- MongoDB operator sanitization
- Cassandra CQL parameterization
- Redis command validation
Usage Guidelines
DO: Use Type-Safe Query Builder
use heliosdb_sql_builder::*;
// Build queries safelylet query = select(vec![ SafeIdentifier::new("id")?, SafeIdentifier::new("name")?, SafeIdentifier::new("email")?,]).from(SafeIdentifier::new("users")?).where_eq( SafeIdentifier::new("status")?, Parameter::from("active")).order_by( SafeIdentifier::new("created_at")?, SortDirection::Desc).limit(Parameter::from(10)).build();
execute_query(&query.sql(), query.parameters())?;DO: Use Parameterized Queries
// Simple queryexecute_query( "SELECT * FROM users WHERE id = $1", &[user_id])?;
// Complex query with multiple parametersexecute_query( "UPDATE orders SET status = $1, updated_at = $2 WHERE user_id = $3 AND status = $4", &[new_status, timestamp, user_id, old_status])?;
// Array parametersexecute_query( "SELECT * FROM users WHERE id = ANY($1)", &[user_ids])?;DO: Validate All User Inputs
use heliosdb_security::input_validator::InputValidator;
let validator = InputValidator::new();
// Validate identifierlet table_name = validator.validate_identifier(user_table)?;
// Validate operatorlet op = validator.validate_operator(user_operator)?;
// Sanitize LIKE patternslet pattern = validator.sanitize_like_pattern(user_search)?;execute_query( "SELECT * FROM users WHERE name LIKE $1", &[format!("%{}%", pattern)])?;DON’T: Use String Concatenation
// WRONG - Vulnerable to SQL injectionlet sql = format!("SELECT * FROM users WHERE id = {}", user_id);execute_query(&sql, &[])?; // BLOCKED
// WRONG - Still vulnerable even with quoteslet sql = format!("SELECT * FROM users WHERE name = '{}'", username);execute_query(&sql, &[])?; // BLOCKED
// WRONG - Dynamic table names without validationlet sql = format!("SELECT * FROM {}", user_table);execute_query(&sql, &[])?; // BLOCKEDDON’T: Trust Any External Input
// WRONG - Trusting external inputlet order_by = request.get_param("sort"); // Could be "name; DROP TABLE users--"let sql = format!("SELECT * FROM users ORDER BY {}", order_by); // BLOCKED
// RIGHT - Validate and whitelistlet allowed_columns = ["id", "name", "email", "created_at"];let order_by = if allowed_columns.contains(&request.get_param("sort")) { SafeIdentifier::new(request.get_param("sort"))?} else { return Err("Invalid sort column");};Testing
Comprehensive Test Suite
100+ test cases covering all attack vectors:
# Run all SQL injection testscargo test sql_injection
# Run specific test categoriescargo test union_based_injectioncargo test boolean_blind_injectioncargo test time_based_injectioncargo test error_based_injectionPenetration Testing
# Run penetration testscargo test -p heliosdb-security penetration_tests
# Run fuzzing testscargo test -p heliosdb-security fuzzingConfiguration
Production Security Settings
use heliosdb_protocols::sql_security::SqlSecurityValidator;use heliosdb_security::sql_injection_detector::SqlInjectionDetector;
// Maximum security configurationlet mut validator = SqlSecurityValidator::new();validator.require_parameterization = true; // Enforce parametersvalidator.max_query_length = 50_000; // 50KB limit
let detector = SqlInjectionDetector::strict(); // Block all suspicious patternsPolicy Management
use heliosdb_protocols::sql_security::QueryPolicyManager;
let mut policy = QueryPolicyManager::new(true); // Strict mode
// Deny dangerous operationspolicy.add_denied_pattern(r"(?i)\bDROP\s+TABLE")?;policy.add_denied_pattern(r"(?i)\bTRUNCATE")?;
// Allow specific patterns (optional)policy.add_allowed_pattern(r"^SELECT .+ FROM users WHERE")?;
policy.check_policy(sql)?;Performance
Zero overhead for prepared statements:
- Query validation: < 100μs
- Pattern matching: < 50μs
- Parameter binding: < 10μs
Cached regex patterns for optimal performance.
Monitoring
All SQL injection attempts are logged:
WARN [heliosdb_protocols::sql_security] SQL injection attempt detected: OR 1=1ERROR [heliosdb_protocols::sql_security] Blacklisted operation: LOAD_FILEEnable audit logging for compliance:
use heliosdb_audit::AuditLogger;
let logger = AuditLogger::new();logger.log_security_event("SQL_INJECTION_BLOCKED", &details);References
- OWASP SQL Injection Prevention Cheat Sheet
- CWE-89: SQL Injection
- NIST SP 800-53: SI-10 Information Input Validation
- PostgreSQL Security Best Practices
Maintenance
- Patterns updated quarterly based on threat intelligence
- New attack vectors added as discovered
- Security grade monitored continuously
- Penetration testing performed monthly