Preventing SQL Injection Attacks

Keep your code secure against intruders. In this article we provide examples of SQL injection attacks and how you can write code to prevent them. Stop people from getting information from your database.

In a previous article we provided some examples of how intruders will try to attack your site using Cross-site Scripting (XSS) attacks. In an XSS attack, the attacker tries to use client-side methods of injecting client-side script and then high-jacking a user's session. Now, we're going to provide some examples of a server-side attack where an intruder will try to obtain information from within your database. After the examples, we will go through methods of securing your code against these types of attacks.

SQL injection attacks take advantage of code that does not filter input that is being entered directly into a form. Susceptible applications are applications that take direct user input and then generate dynamic SQL that is executed via back-end code. For example say you have a logon form that accepts a user name and password. Once authenticated against the database, the application then sets a session value, or some other token for allowing the user to access the protected data.