How to prevent SQL injection attacks?

kreiley

What do you to prevent SQL injection attacks beyond simply not allowing raw SQL to be passed to your database?

Topic: Security
Answer this Question

Answers

3 total
Christopher Nerney
Vote Up (22)

This is the topic of a detailed "SQL Prevention Cheat Sheet" by The Open Web Application Security Project, or OWASP. Here's a key excerpt:

 

"SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either: a) stop writing dynamic queries; and/or b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query."

 

The cheat sheet runs through explanations of several "primary defenses," including Prepared Statements (Parameterized Queries), Stored Procedures and Escaping All User Supplied Input.

 

 

 

 

 

 

 

StillADotcommer
Vote Up (20)

A few basic steps can help prevent a lot of issues:

Do code reviews so that there everything changed is double checked and looked at with a fresh set of eyes.

Don't allow escape characters.

Use parameterized statements so that data is filtered prior to being sent to the database. 

jimlynch
Vote Up (19)

How to Prevent a SQL Injection Attack
http://www.developerdrive.com/2011/10/how-to-prevent-a-sql-injection-att...

"A SQL injection is a common programming error the consequences of which can be really devastating. Many successful hacking attacks start when a hacker discovers a vulnerability that gives an opportunity to inject SQL code.

When an SQL injection occurs, the structure of an SQL query is compromised and as a result you are left at the mercy of the potential hackers. If there is a vulnerability found, hackers can exploit it to gain access not only to your site and database but in extreme cases also to your corporate network. When hackers can inject their code in your code, they can do what they want."

Ask a question

Join Now or Sign In to ask a question.
In the wake of recent security breaches of medical databases, doctors can’t be too careful
A security precaution skipped in mobile applications such as Facebook's Messenger could be abused to make an expensive phone call at a victim's expense, a developer contends.
The U.S. National Institute of Standards and Technology (NIST) is developing a guide for testing third-party apps to ensure that they are secure and don't introduce any vulnerabilities.
With a Microsoft-mandated deadline a little more than two months away, computer makers are still selling PCs equipped with Windows 7 Home Premium.
Many businesses focus on record retention, but here's why one lawyer says "Destroy!"
With a single massive power burst, storage media that suddenly heads south, or interaction with a light-fingered ne'er-do-well, the technology your student depends on can vanish. Take these five tips to heart, however, and the loss of a device or data need not be catastrophic.
U.S government agencies will work to release cyberthreat information faster to the health-care industry after a massive breach at hospital operator Community Health Systems, representatives of two agencies said.
A type of body scanner in wide use across U.S. airports through last year fails to spot well-concealed weapons including guns and knives, computer security researchers contend.
A modified version of Android uses a system of modularized plugins to help make sure the latest security tools make it into the hands of end users as quickly as possible.
The UPS Store said Wednesday that malicious software was found on the systems of 51 of its franchises in 24 U.S. states, although no fraud has been detected yet.
randomness