SQL Statement Sanitizer

Set up two new key environment variables on a Windows operating system that will boost security against SQL injections.

Requirements

• On-Premise v.23.3.38 or higher

SQL injections pose a significant threat to databases and managing to block these attempts is a crucial aspect of database security.

These key Windows environment variables are built to boost security against SQL injections — by identifying potential SQL Injection statements and blocking them, improving the safety of your entire Database system.

This document is designed to guide you through setting up two new key environment variables on a Windows operating system:

1. SEARCH_SUSPECTED_SQL_INJECTION

2. BLOCK_SUSPECTED_SQL_INJECTION

SEARCH_SUSPECTED_SQL_INJECTION

When SEARCH_SUSPECTED_SQL_INJECTION is set to 'true', it activates code that checks for suspected SQL injection statements.

When set to 'false', or if it doesn’t exist, it won’t check SQL statements.

BLOCK_SUSPECTED_SQL_INJECTION

When BLOCK_SUSPECTED_SQL_INJECTION is set to 'true', it blocks any detected SQL Injection attempts.

The detected SQL statement is then replaced with a query that returns an empty result set.

If BLOCK_SUSPECTED_SQL_INJECTION is set to 'false', or doesn’t exist, it won't block suspected SQL Injection statements.

Should SEARCH_SUSPECTED_SQL_INJECTION be set to 'true' and an SQL injection attempt detected, an error message will print on the log: 'SQLInjectionsSanitizer: Found suspected sql', followed by the detected SQL statement.

Set up Windows Environment Variables

OS Version Variations

Instructions on setting up Windows Environment Variables may vary, depending on the OS version

To set up these environment variables, follow these steps:

1. Press Windows + X, and choose 'System'.

2. Click on 'About' and then 'System info'.

3. Choose 'Advanced system settings' from the right pane.

4. In the System Properties window that appears, go to the 'Advanced' tab and click on 'Environment Variables'.

5. In the Environment Variables window, click 'New' under the 'System variables' section.

6. You will see a 'New System Variable' window. Write 'SEARCH_SUSPECTED_SQL_INJECTION' in the 'Variable name' field, type 'true' or 'false' as your 'Variable value', then click 'OK'.

7. Repeat the process for 'BLOCK_SUSPECTED_SQL_INJECTION'.

8. To finalize the changes, click 'OK' in all previous windows.

9. Restart SysAid Service in order for the new environments to take effect

You can then view the variables and their values;

These new environment variables are now ready to provide additional defense against SQL Injection attacks.

These more robust security measures ensure that your data remains safe and your systems run more efficiently.