• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 319
  • Last Modified:

Programmers best practice against sql injections

QUESTION 1: What can my Programmers do to Identify and Prevent SQL Injection vulnerabilities?  
0
DEFclub
Asked:
DEFclub
2 Solutions
 
ToxaconCommented:
Allow only ordinary letters (a-z, A-Z) and numbers (0-9) as parameters for queries, if possible. Always stop executing code if the input parameter contains a % or a '.
0
 
markterryCommented:
Several things, basically you need to clean the input. Use procedures to both clean input, and prevent unwanted data types.

If you have a query like the following, where you append the value of an input box into the query:
Select Column1, column2 from table where column like 'value from input box'

the injector could use this input:
' UNION ALL Select column_Name, table_name from information_Schema.columns

That would append a list of columns and table names to the results, and they could use that info to write further queries.

Using a stored procedure, that would come in all as text, and the query would fail.

You can also strip unwanted characters.

see below for more info.

SQL Injection Overview'
MS SQL Injection Best Practices with ASP.NET
0
 
markterryCommented:
0
 
HainKurtSr. System AnalystCommented:
they open google.com and put "sql injection" and start reading :)
0
 
DEFclubAuthor Commented:
thxs
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now