Q

Protect against SQL Injection by whitelisting

OK, admittedly the best practice for guarding against SQL Injection attacks is to white-ist acceptable characters. However, given that knowledge is power, is there a comprehensive list of special characters (such as the single-quote or double-hyphen) available for SQL Server? I have done a ton of searches and can't seem to find one (I did find the reserved words).

OK, admittedly the best practice for guarding against SQL Injection attacks is to white-list acceptable characters. However, given that knowledge is power, is there a comprehensive list of special characters (such as the single-quote or double-hyphen) available for SQL Server? I have done a ton of searches and can't seem to find one (I did find the reserved words).
SQL is such a powerful language (some would say too powerful) that there isn't a really good list to use for blacklisting. You're right on the money, that whitelisting is your first line of defense. I always like to use a RegEx function to filter all my user provided input. If the data passes the RegEx, then I pass it through a very simple blacklist function as a just-in-case. To date, I haven't seen anything in any application I've written that ever fired off the blacklist function because the whitelist is much more powerful. Whitelisting isn't as hard as you may think; a bunch of examples of RegEx in ASP and PHP abound and you can get really great examples of RegEx strings at www.regexlib.com.
This was first published in March 2007

Dig deeper on SQL Server Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchBusinessAnalytics

SearchDataCenter

SearchDataManagement

SearchAWS

SearchOracle

SearchContentManagement

SearchWindowsServer

Close