Solved

Programmers best practice against sql injections

Posted on 2011-09-07
5
302 Views
Last Modified: 2012-05-12
QUESTION 1: What can my Programmers do to Identify and Prevent SQL Injection vulnerabilities?  
0
Comment
Question by:DEFclub
5 Comments
 
LVL 8

Accepted Solution

by:
Toxacon earned 250 total points
ID: 36497444
Allow only ordinary letters (a-z, A-Z) and numbers (0-9) as parameters for queries, if possible. Always stop executing code if the input parameter contains a % or a '.
0
 
LVL 6

Assisted Solution

by:markterry
markterry earned 250 total points
ID: 36497530
Several things, basically you need to clean the input. Use procedures to both clean input, and prevent unwanted data types.

If you have a query like the following, where you append the value of an input box into the query:
Select Column1, column2 from table where column like 'value from input box'

the injector could use this input:
' UNION ALL Select column_Name, table_name from information_Schema.columns

That would append a list of columns and table names to the results, and they could use that info to write further queries.

Using a stored procedure, that would come in all as text, and the query would fail.

You can also strip unwanted characters.

see below for more info.

SQL Injection Overview'
MS SQL Injection Best Practices with ASP.NET
0
 
LVL 6

Expert Comment

by:markterry
ID: 36497537
0
 
LVL 51

Expert Comment

by:HainKurt
ID: 36497697
they open google.com and put "sql injection" and start reading :)
0
 

Author Closing Comment

by:DEFclub
ID: 36499580
thxs
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Computer science students often experience many of the same frustrations when going through their engineering courses. This article presents seven tips I found useful when completing a bachelors and masters degree in computing which I believe may he…
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question