Protect against SQL Injection by whitelisting

Home
Topics
Microsoft SQL Server Administration
SQL Server Security
Protect against SQL Injection by whitelisting

Protect against SQL Injection by whitelisting

OK, admittedly the best practice for guarding against SQL Injection attacks is to white-list acceptable characters. However, given that knowledge is power, is there a comprehensive list of special characters (such as the single-quote or double-hyphen) available for SQL Server? I have done a ton of searches and can't seem to find one (I did find the reserved words).

Requires Free Membership to View

Login

By submitting your registration information to SearchSQLServer.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSQLServer.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

SQL is such a powerful language (some would say too powerful) that there isn't a really good list to use for blacklisting. You're right on the money, that whitelisting is your first line of defense. I always like to use a RegEx function to filter all my user provided input. If the data passes the RegEx, then I pass it through a very simple blacklist function as a just-in-case. To date, I haven't seen anything in any application I've written that ever fired off the blacklist function because the whitelist is much more powerful. Whitelisting isn't as hard as you may think; a bunch of examples of RegEx in ASP and PHP abound and you can get really great examples of RegEx strings at www.regexlib.com.

Dig Deeper

People who read this also read...

Related glossary terms

Terms for Whatis.com - the technology online dictionary
- data hiding
- data corruption

Show me more

This was first published in March 2007

Back to top

More from Related TechTarget Sites

Business Analytics
Data Center
Data Management
Data Management UK
Oracle
Content Management
Windows Server

Business Analytics
- On the go the way to go? Answer lies with building mobile BI business case
  
  According to a recent Gartner survey, mobile technology is the second most important priority for CIOs in 2012, but building the business case is easier said than done.
- Basic vs. complex: Companies walk the line on analytics best practices
  
  Businesses looking to build effective business intelligence and analytics programs have to toe the line between focusing on the basics and using new technology to build more complex BI systems.
- Real estate company refines, expands geographic information system
  
  Marcus & Millichap shakes off its archaic data cleansing and analytics system for more automated processes, enabling the firm to explore its data on a more granular level.
Data Center
- Changes to z/OS 1.13 help Java adoption and boost mainframe capacity
  
  Updates to zFS, better Java performance and tweaks to z/OSMF make IBM's z/OS 1.13 a solid release for developers.
- 'Big data' shops eye cheaper four-socket Intel Xeon servers
  
  What once required high-end Intel E7 processors and motherboards now fits into a lower-cost E5-4600 four-socket Intel Xeon system, suitable for scale-out workloads in HPC and big data.
- Using overhead cables to tidy your data center: Ask the Expert podcast
  
  As data centers move away from tangled messes under the floor, overhead cables usher in a new era of visibility and tidiness.
Data Management
- As data demands speed up, information management tools pave road ahead
  
  New research shows data virtualization, data governance and master data management initiatives provide higher levels of satisfaction with data quality and data integration.
- Bank of America IT exec: EIM drivers key to shaping project plans
  
  Enterprise information management programs should be molded around clear business objectives, says a senior information architect at Bank of America.
- In-memory database caching helps AltEgo bring online avatars to life
  
  In-memory database caching technology is helping gamers take charge of their online identities.
DataManagement UK
- Podcast: How to craft an effective MDM strategy
  
  In this podcast interview, Andy Hayler gives advice on how to create and implement an MDM strategy that is ruthlessly focused on business value.
- Jill Dyché: CEO big data focus good news and bad news for IT
  
  Jill Dyché, a data management expert, sees CEO interest and scepticism as both an opportunity and a threat. Avoid the big data 'gotchas', and don't mistake data warehousing for big data.
- Infostrada teams up with Roambi, mobile sports analytics at Olympics
  
  Dutch media sports information provider Infostrada has teamed up with mobile BI company Roambi to create an iPhone and iPad app for the Olympics. It will predict medal counts.
Oracle
- Las Vegas expands its Oracle business intelligence horizons for better government transparency
  
  The city of Las Vegas underwent a three-year Oracle business intelligence project to bring more data to its employees and the public. The city's IT manager explains how it happened.
- Midmarket companies find JD Edwards upgrades a good fit
  
  At some point, your JD Edwards shop will have to decide whether to switch to a different product, upgrade or stay where you are. Learn what two other organizations did when working through JD Edwards upgrades.
- Jury issues partial verdict in Oracle vs. Google Java lawsuit
  
  The jury has issued a partial verdict in the copyright phase of the Oracle vs. Google lawsuit, in which Oracle is claiming that Google violated Java patents and copyright with its Android mobile operating system.
Content Management
- Cimarex picks Accellion enterprise collaboration platform over SharePoint
  
  Cimarex Energy replaced its SharePoint system with Accellion’s enterprise collaboration platform for secure mobile file sharing and uses it to recruit graduate geology students.
- Paper originals still needed when using a document management system?
  
  Get expert advice on whether it’s necessary to keep paper or other forms of original materials once a company implements an electronic document management system.
- Out with old: Effective records management begins with losing useless data
  
  An effective records management program is one that not only knows what to keep – but which expired data can be removed to save time and money, said consultant Randolph Kahn.
Windows Server
- Why Workflow may be PowerShell v3's most important feature
  
  Your task list is about to be reborn. Our expert explains how Workflow will help you now -- and how it will help guide Microsoft in the future.
- Test your System Center 2012 knowledge
  
  What's new in System Center 2012? See how much you know about a wide variety of topics in System Center.
- Microsoft patches 23 security vulnerabilities, three critical bulletins
  
  Microsoft addressed 23 vulnerabilities as part of its May Patch Tuesday update, addressing flaws in Windows and Office.

All Rights Reserved, Copyright 2005 - 2012, TechTarget