Programmers best practice against sql injections

QUESTION 1: What can my Programmers do to Identify and Prevent SQL Injection vulnerabilities?  
Who is Participating?
ToxaconConnect With a Mentor Commented:
Allow only ordinary letters (a-z, A-Z) and numbers (0-9) as parameters for queries, if possible. Always stop executing code if the input parameter contains a % or a '.
markterryConnect With a Mentor Commented:
Several things, basically you need to clean the input. Use procedures to both clean input, and prevent unwanted data types.

If you have a query like the following, where you append the value of an input box into the query:
Select Column1, column2 from table where column like 'value from input box'

the injector could use this input:
' UNION ALL Select column_Name, table_name from information_Schema.columns

That would append a list of columns and table names to the results, and they could use that info to write further queries.

Using a stored procedure, that would come in all as text, and the query would fail.

You can also strip unwanted characters.

see below for more info.

SQL Injection Overview'
MS SQL Injection Best Practices with ASP.NET
HainKurtSr. System AnalystCommented:
they open and put "sql injection" and start reading :)
DEFclubAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.