Home » Forums » SecGuru Forums » Technical Discussion

Preventing sql injection

Points: 210 views Comments: 1 Comments Tag: , Submitted by nimitrulz on Fri, 2007-03-16 18:48.

Can anyone please explain how sql injection can be preventing.

I know filtering the contents at the server side is one of the solution. Filtering characters such as (<,>,', OR,1,= )

There is a possibility few of the webapps may treat these characters as legitimate. For example user name may have O' rilly.

In this case you cant filter the (') character as its a part of the user name.

‹ Understanding Kerberos authentication The ethical dilemmas of robotics ( Laws of Robotics ) ›

Prevent SQL Injection Attacks

Submitted by television on Sun, 2007-03-18 07:56.

* Encrypt sensitive data.
* Access the database using an account with the least privileges necessary.
* Install the database using an account with the least privileges necessary.
* Ensure that data is valid.
* Do a code review to check for the possibility of second-order attacks.
* Use parameterised queries.
* Use stored procedures.
* Re-validate data in stored procedures.
* Ensure that error messages give nothing away about the internal architecture of the application or the database.

source:
http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp
©2005 Colin Angus Mackay. All Rights Reserved.

»

Post new comment

  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h1> <quote> <img>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Copy the characters (respecting upper/lower case) from the image.