How to prevent SQL injection attacks?

kreiley

What do you to prevent SQL injection attacks beyond simply not allowing raw SQL to be passed to your database?

Topic: Security
Answer this Question

Answers

3 total
Christopher Nerney
Vote Up (22)

This is the topic of a detailed "SQL Prevention Cheat Sheet" by The Open Web Application Security Project, or OWASP. Here's a key excerpt:

 

"SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either: a) stop writing dynamic queries; and/or b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query."

 

The cheat sheet runs through explanations of several "primary defenses," including Prepared Statements (Parameterized Queries), Stored Procedures and Escaping All User Supplied Input.

 

 

 

 

 

 

 

StillADotcommer
Vote Up (20)

A few basic steps can help prevent a lot of issues:

Do code reviews so that there everything changed is double checked and looked at with a fresh set of eyes.

Don't allow escape characters.

Use parameterized statements so that data is filtered prior to being sent to the database. 

jimlynch
Vote Up (19)

How to Prevent a SQL Injection Attack
http://www.developerdrive.com/2011/10/how-to-prevent-a-sql-injection-att...

"A SQL injection is a common programming error the consequences of which can be really devastating. Many successful hacking attacks start when a hacker discovers a vulnerability that gives an opportunity to inject SQL code.

When an SQL injection occurs, the structure of an SQL query is compromised and as a result you are left at the mercy of the potential hackers. If there is a vulnerability found, hackers can exploit it to gain access not only to your site and database but in extreme cases also to your corporate network. When hackers can inject their code in your code, they can do what they want."

Ask a question

Join Now or Sign In to ask a question.
Ping Identity has picked up another $35 million in venture funding to speed development of the next-generation of its identity and access management technology and expand the company's presence in Europe and Asia-Pacific.
Apple's new passcode-based encryption for the iPhone and iPad can be circumvented and provides only limited protection to data.
Google, Dropbox and the Open Technology Fund are supporting a new organization focused on making open-source security and privacy tools more user-friendly.
Among six major U.S. cities, CSOs are paid the most in San Francisco and New York, but factoring in the cost of living makes Denver and Chicago the best bang-for-the-buck places.
Apple's iOS 8 addresses a serious weakness that could allow attackers to hijack the wireless network authentication of Apple devices and gain access to enterprise networks.
Legislation introduced in the U.S. Senate on Thursday aims to place limits on access by U.S. law enforcement agencies to emails and other communications stored abroad.
Two online advertising networks, Google's DoubleClick and Zedo, have been delivering malicious advertisements that could install malware on a person's computer, according to the security vendor Malwarebytes.
Google is turning on data encryption by default in the next version of Android, a step that mirrors broad moves in the technology industry to ensure better data security.
CloudFlare said it has engineered a novel way to handle sensitive encryption keys that allows organizations such as financial institutions to still use its caching service to fend off cyberattacks.
Samsung on Thursday announced price reductions and updates for its Knox security and management software for IT shops and a free My Knox service that is directly available to professionals using ActiveSync.