How to prevent SQL injection attacks?

ITworld Answers

Ask a Question

How to prevent SQL injection attacks?

kreiley 4 weeks ago

What do you to prevent SQL injection attacks beyond simply not allowing raw SQL to be passed to your database?

Tags: SQL, SQL injection attack

Topic: Security

Answer this Question

Login or register to post answers
Permalink

Answers

3 total

jimlynch 4 weeks ago

How to Prevent a SQL Injection Attack
http://www.developerdrive.com/2011/10/how-to-prevent-a-sql-injection-att...

"A SQL injection is a common programming error the consequences of which can be really devastating. Many successful hacking attacks start when a hacker discovers a vulnerability that gives an opportunity to inject SQL code.

When an SQL injection occurs, the structure of an SQL query is compromised and as a result you are left at the mercy of the potential hackers. If there is a vulnerability found, hackers can exploit it to gain access not only to your site and database but in extreme cases also to your corporate network. When hackers can inject their code in your code, they can do what they want."

Share this answer
Permalink

StillADotcommer 4 weeks ago

A few basic steps can help prevent a lot of issues:

Do code reviews so that there everything changed is double checked and looked at with a fresh set of eyes.

Don't allow escape characters.

Use parameterized statements so that data is filtered prior to being sent to the database.

Share this answer
Permalink

Christopher Nerney 4 weeks ago

This is the topic of a detailed "SQL Prevention Cheat Sheet" by The Open Web Application Security Project, or OWASP. Here's a key excerpt:

"SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either: a) stop writing dynamic queries; and/or b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query."

The cheat sheet runs through explanations of several "primary defenses," including Prepared Statements (Parameterized Queries), Stored Procedures and Escaping All User Supplied Input.

Share this answer
Permalink

Answer this Question

Related Questions

Lemarchand

1 year ago

Are you ready to deploy a Next Generation Firewall?

Is Palo Alto the only true NGFW? SonicWall? Juniper SRX? Do you think that Gartner's definition of a NGFW is correct? Does anyone know...

Tags:

2 Answers

Answer It

tover

1 year ago

I'm considering a slight career change to IT security - what do I need to consider?

I've been in IT for awhile, and am considering a shift to focus more on security and related technologies, policies, etc. What kinds of...

Tags: infosec

2 Answers

Answer It

dblacharski

1 year ago

TRUSTED VOICE

Smartphone security apps

Are there reputable security applications out there for BlackBerry, Android, and iPhone that will protect my business emails, chats, and...

Tags: email security, smartphone security

2 Answers

Answer It

dblacharski

3 weeks ago

TRUSTED VOICE

How to recover data from crashed hard drive

Yes, it's true that everyone should know better, and should be backing up data to an off-site facility on a regular basis. But, in...

Tags:

4 Answers

Answer It

dblacharski

1 year ago

TRUSTED VOICE

Cloud computing security from user perspective

Cloud computing security is approached from two directions; the cloud provider, and the end user. Regarding the provider, our strategy...

Tags:

2 Answers

Answer It

Ask a question

Payment card processors hacked in $45 million fraud

A vast debit card fraud scheme that allegedly netted US$45 million has been linked to the hacking of credit card processors in the U.S. and India.

The Onion explains how its Twitter account was hacked

Hackers who commandeered The Onion's Twitter account used simple but effective phishing attacks to obtain passwords, according to a writeup by the publisher's technology team.

US lawmakers introduce apps privacy bill

New legislation introduced by a group of U.S. lawmakers would require mobile application developers to obtain consent from consumers before collecting their personal data and to secure the data they collect.

Hacking back: Digital revenge is sweet but risky

As cyberattacks increase, victims are fighting back. But retaliation has its own consequences--and may create more damage.

Adobe warns customers of unpatched critical flaw in ColdFusion

Adobe has warned users of its ColdFusion application server platform of a critical vulnerability that could give unauthorized users access to sensitive files stored on their servers.

Name.com forces customers to reset passwords following security breach

Domain registrar Name.com forced its customers to reset their account passwords on Wednesday following a security breach on the company's servers that might have resulted in customer information being compromised.

Microsoft releases fix-it for Internet Explorer 8 vulnerability

Microsoft has released a temporary fix for a zero-day vulnerability in Internet Explorer 8, which was used by hackers in a prominent attack against the U.S. Department of Labor's website.

Researchers find hundreds of insecure building control systems

Intruders used to creep in through ventilation ducts. Now they break in using the software that controls the ventilation.

Interop network squares off against controlled 70G bit/sec DDoS attack

Testing company Ixia launches high-volume DDoS tests against F5 firewalls.

Study: US military too reliant on foreign-made equipment

The U.S. military's reliance on foreign-made products, including telecommunications equipment and semiconductors, is putting the nation's security at risk by exposing agencies to faulty parts and to the possibility that producing nations will stop selling vital items, according to a new report from the Alliance for American Manufacturing.