How to prevent SQL injection attacks?

kreiley

What do you to prevent SQL injection attacks beyond simply not allowing raw SQL to be passed to your database?

Topic: Security
Answer this Question

Answers

3 total
Christopher Nerney
Vote Up (17)

This is the topic of a detailed "SQL Prevention Cheat Sheet" by The Open Web Application Security Project, or OWASP. Here's a key excerpt:

 

"SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either: a) stop writing dynamic queries; and/or b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query."

 

The cheat sheet runs through explanations of several "primary defenses," including Prepared Statements (Parameterized Queries), Stored Procedures and Escaping All User Supplied Input.

 

 

 

 

 

 

 

jimlynch
Vote Up (15)

How to Prevent a SQL Injection Attack
http://www.developerdrive.com/2011/10/how-to-prevent-a-sql-injection-att...

"A SQL injection is a common programming error the consequences of which can be really devastating. Many successful hacking attacks start when a hacker discovers a vulnerability that gives an opportunity to inject SQL code.

When an SQL injection occurs, the structure of an SQL query is compromised and as a result you are left at the mercy of the potential hackers. If there is a vulnerability found, hackers can exploit it to gain access not only to your site and database but in extreme cases also to your corporate network. When hackers can inject their code in your code, they can do what they want."

StillADotcommer
Vote Up (15)

A few basic steps can help prevent a lot of issues:

Do code reviews so that there everything changed is double checked and looked at with a fresh set of eyes.

Don't allow escape characters.

Use parameterized statements so that data is filtered prior to being sent to the database. 

Ask a question

Join Now or Sign In to ask a question.
Revelations about U.S. secret surveillance programs have left China's Huawei Technologies exhausted on the public relations front, a top company executive said Wednesday.
Some Android apps thought to be vulnerable to the Heartbleed bug were spared because of a common coding error in the way they implemented their own native OpenSSL library.
The panic over the Heartbleed bug is proving to be a convenient distraction for hackers using standard techniques in a fresh wave of attacks targeting at least 18 U.S. universities, according to a computer security researcher.
Still responding to the National Security Agency surveillance revelations, Google is reportedly preparing to help users beef up Gmail security with end-to-end encryption. The search giant is working on a way to make Pretty Good Privacy (PGP) encryption easier to use for Gmail fans, according to a report by Venture Beat.
Cisco today announced Managed Threat Defense, a set of security services for the enterprise that Cisco is providing through two new operations centers to remotely support intrusion-detection, incident response and forensics, among other services.
Verizon today issued its annual data-breach investigations report, a study of what happened in 1,367 known cases across dozens of industries in 95 countries last year, and the most common form of attack was breaking in through Web applications.
A malware campaign of yet-to-be-determined origin is infecting jailbroken iPhones and iPads to steal Apple account credentials from SSL encrypted traffic.
NEC has launched a biometric security program that uses face recognition to unlock access to PCs.
Web application attacks, cyber-espionage and point-of-sale intrusions were among the top IT security threats in 2013, according to Verizon's latest annual report on data breach investigations.
CloudFlare started a bug bounty program on Monday, joining a host of companies that are turning to independent security researchers to spot bugs in their network.

White Papers & Webcasts

See more White Papers | Webcasts

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+