?
Solved

Programmers best practice against sql injections

Posted on 2011-09-07
5
Medium Priority
?
309 Views
Last Modified: 2012-05-12
QUESTION 1: What can my Programmers do to Identify and Prevent SQL Injection vulnerabilities?  
0
Comment
Question by:DEFclub
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 8

Accepted Solution

by:
Toxacon earned 1000 total points
ID: 36497444
Allow only ordinary letters (a-z, A-Z) and numbers (0-9) as parameters for queries, if possible. Always stop executing code if the input parameter contains a % or a '.
0
 
LVL 6

Assisted Solution

by:markterry
markterry earned 1000 total points
ID: 36497530
Several things, basically you need to clean the input. Use procedures to both clean input, and prevent unwanted data types.

If you have a query like the following, where you append the value of an input box into the query:
Select Column1, column2 from table where column like 'value from input box'

the injector could use this input:
' UNION ALL Select column_Name, table_name from information_Schema.columns

That would append a list of columns and table names to the results, and they could use that info to write further queries.

Using a stored procedure, that would come in all as text, and the query would fail.

You can also strip unwanted characters.

see below for more info.

SQL Injection Overview'
MS SQL Injection Best Practices with ASP.NET
0
 
LVL 6

Expert Comment

by:markterry
ID: 36497537
0
 
LVL 58

Expert Comment

by:HainKurt
ID: 36497697
they open google.com and put "sql injection" and start reading :)
0
 

Author Closing Comment

by:DEFclub
ID: 36499580
thxs
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question