Ask the Expert

Avoid SQL injection with these best practices

Can you offer best practices to avoid SQL (Server) injection?

    Requires Free Membership to View

Some sound advice on the subject can be found at SQLSecurity.com. The Web site is run by Chip Andrews, the fellow who coined the phrase "SQL injection." Most of the advice follows a repeating battle cry: Sanitize all data coming in to your application (whether from human input, browser user-agent strings or cookies). Validate that when you're expecting a numeric, you receive a numeric. Most of it is simple once you get the hang of it, but it's a pain when you're trying to whip out a quick Web application. The trouble is quick Web apps tend to grow into enterprise mission-critical systems. Things that didn't seem important when you were making a quick little program to track jelly beans (such as data input validation) become monstrous issues when your application controls the worldwide inventory of a Jelly Bean factory. Here are some additional resources to help you prevent SQL injection attacks:
  • Automate SQL injection testing
  • Checklist: How to test SQL Server security
  • Discover and lock down vulnerable SQL Server services
  • This was first published in May 2006

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: