Solved

Programmers best practice against sql injections

Posted on 2011-09-07
5
303 Views
Last Modified: 2012-05-12
QUESTION 1: What can my Programmers do to Identify and Prevent SQL Injection vulnerabilities?  
0
Comment
Question by:DEFclub
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 8

Accepted Solution

by:
Toxacon earned 250 total points
ID: 36497444
Allow only ordinary letters (a-z, A-Z) and numbers (0-9) as parameters for queries, if possible. Always stop executing code if the input parameter contains a % or a '.
0
 
LVL 6

Assisted Solution

by:markterry
markterry earned 250 total points
ID: 36497530
Several things, basically you need to clean the input. Use procedures to both clean input, and prevent unwanted data types.

If you have a query like the following, where you append the value of an input box into the query:
Select Column1, column2 from table where column like 'value from input box'

the injector could use this input:
' UNION ALL Select column_Name, table_name from information_Schema.columns

That would append a list of columns and table names to the results, and they could use that info to write further queries.

Using a stored procedure, that would come in all as text, and the query would fail.

You can also strip unwanted characters.

see below for more info.

SQL Injection Overview'
MS SQL Injection Best Practices with ASP.NET
0
 
LVL 6

Expert Comment

by:markterry
ID: 36497537
0
 
LVL 52

Expert Comment

by:Huseyin KAHRAMAN
ID: 36497697
they open google.com and put "sql injection" and start reading :)
0
 

Author Closing Comment

by:DEFclub
ID: 36499580
thxs
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question