Programmers best practice against sql injections

Posted on 2011-09-07
Last Modified: 2012-05-12
QUESTION 1: What can my Programmers do to Identify and Prevent SQL Injection vulnerabilities?  
Question by:DEFclub

Accepted Solution

Toxacon earned 250 total points
ID: 36497444
Allow only ordinary letters (a-z, A-Z) and numbers (0-9) as parameters for queries, if possible. Always stop executing code if the input parameter contains a % or a '.

Assisted Solution

markterry earned 250 total points
ID: 36497530
Several things, basically you need to clean the input. Use procedures to both clean input, and prevent unwanted data types.

If you have a query like the following, where you append the value of an input box into the query:
Select Column1, column2 from table where column like 'value from input box'

the injector could use this input:
' UNION ALL Select column_Name, table_name from information_Schema.columns

That would append a list of columns and table names to the results, and they could use that info to write further queries.

Using a stored procedure, that would come in all as text, and the query would fail.

You can also strip unwanted characters.

see below for more info.

SQL Injection Overview'
MS SQL Injection Best Practices with ASP.NET

Expert Comment

ID: 36497537
LVL 51

Expert Comment

ID: 36497697
they open and put "sql injection" and start reading :)

Author Closing Comment

ID: 36499580

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
sqlquerystress - To test db performance 8 41
sql server concatenate fields 10 32
Get the latest status 8 30
SQL SELECT query help 7 34
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question