How to prevent SQL injection attacks?

kreiley

What do you to prevent SQL injection attacks beyond simply not allowing raw SQL to be passed to your database?

Topic: Security
Answer this Question

Answers

3 total
Christopher Nerney
Vote Up (21)

This is the topic of a detailed "SQL Prevention Cheat Sheet" by The Open Web Application Security Project, or OWASP. Here's a key excerpt:

 

"SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either: a) stop writing dynamic queries; and/or b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query."

 

The cheat sheet runs through explanations of several "primary defenses," including Prepared Statements (Parameterized Queries), Stored Procedures and Escaping All User Supplied Input.

 

 

 

 

 

 

 

StillADotcommer
Vote Up (20)

A few basic steps can help prevent a lot of issues:

Do code reviews so that there everything changed is double checked and looked at with a fresh set of eyes.

Don't allow escape characters.

Use parameterized statements so that data is filtered prior to being sent to the database. 

jimlynch
Vote Up (19)

How to Prevent a SQL Injection Attack
http://www.developerdrive.com/2011/10/how-to-prevent-a-sql-injection-att...

"A SQL injection is a common programming error the consequences of which can be really devastating. Many successful hacking attacks start when a hacker discovers a vulnerability that gives an opportunity to inject SQL code.

When an SQL injection occurs, the structure of an SQL query is compromised and as a result you are left at the mercy of the potential hackers. If there is a vulnerability found, hackers can exploit it to gain access not only to your site and database but in extreme cases also to your corporate network. When hackers can inject their code in your code, they can do what they want."

Ask a question

Join Now or Sign In to ask a question.
A configuration problem in Facebook's popular Instagram application for Apple devices could allow a hacker to hijack a person's account if they're both on the same public Wi-Fi network.
Questions abound over sites authenticating users via identities established through social networks, Yahoo Ponemon Institute survey shows.
Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers.
Vulnerabilities in the Tails operating system could reveal your IP address, but you can avoid trouble by taking a couple of precautions.
Financial institutions use many technologies to fight crime, but much of the work comes too late, focusing on suspicious activity, like uncharacteristic charges or money transfers, after it happens.
Dennis Technology Labs says it tested it because of marketing claims for it; Malwarebytes says free version of product is just a clean-up tool.
A new survey of IT security professionals shows that many businesses are barely starting to exploit mobile technology, and some of them may be a mobile security nightmare waiting to happen.
The Russian Ministry of Interior is willing to pay 3.9 million roubles, or around US$111,000, for a method to identify users on the Tor network.
Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks.
European data protection authorities still have questions after meeting with Google, Microsoft and Yahoo about the implementation of a recent ruling that gave European citizens the right to be forgotten by search engines.