Avoid SQL injection with these best practices

Avoiding SQL Server injection through validating data may be tedious, but it is usually simple and always worthwhile.

Can you offer best practices to avoid SQL (Server) injection?
Some sound advice on the subject can be found at SQLSecurity.com. The Web site is run by Chip Andrews, the fellow who coined the phrase "SQL injection." Most of the advice follows a repeating battle cry: Sanitize all data coming in to your application (whether from human input, browser user-agent strings or cookies). Validate that when you're expecting a numeric, you receive a numeric. Most of it is simple once you get the hang of it, but it's a pain when you're trying to whip out a quick Web application. The trouble is quick Web apps tend to grow into enterprise mission-critical systems. Things that didn't seem important when you were making a quick little program to track jelly beans (such as data input validation) become monstrous issues when your application controls the worldwide inventory of a Jelly Bean factory. Here are some additional resources to help you prevent SQL injection attacks:
  • Automate SQL injection testing
  • Checklist: How to test SQL Server security
  • Discover and lock down vulnerable SQL Server services
  • This was first published in May 2006

    Dig Deeper on SQL Server Security

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.



    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: