
	Home > Ask the SQL Server Experts > Steven Andres - Security Questions & Answers > Protect against SQL Injection by whitelisting

Ask The SQL Server Expert: Questions & Answers

EMAIL THIS

Protect against SQL Injection by whitelisting

EXPERT RESPONSE FROM: Steven Andres

		Pose a Question

		Other SQL Server Categories

		Meet all SQL Server Experts
		Become an Expert for this site

Expert advice on database administration

Digg This! StumbleUpon Del.icio.us

QUESTION POSED ON: 23 March 2007
OK, admittedly the best practice for guarding against SQL Injection attacks is to white-list acceptable characters. However, given that knowledge is power, is there a comprehensive list of special characters (such as the single-quote or double-hyphen) available for SQL Server? I have done a ton of searches and can't seem to find one (I did find the reserved words).

EXPERT RESPONSE
SQL is such a powerful language (some would say too powerful) that there isn't a really good list to use for blacklisting. You're right on the money, that whitelisting is your first line of defense. I always like to use a RegEx function to filter all my user provided input. If the data passes the RegEx, then I pass it through a very simple blacklist function as a just-in-case. To date, I haven't seen anything in any application I've written that ever fired off the blacklist function because the whitelist is much more powerful. Whitelisting isn't as hard as you may think; a bunch of examples of RegEx in ASP and PHP abound and you can get really great examples of RegEx strings at www.regexlib.com.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Steven Andres - Security
	Creating a SQL Server user authentication schema
	Could a join of encrypted SQL Server data have a problem?
	SQL Server connection lost when SA password is changed
	How to set SQL Server password for SA login
	Creating a login in SQL Server 2000 Enterprise Manager
	Code to connect SQL Server 7.0 to Visual Basic 6.0
	Set SQL Server password on database in version 7.0
	Solve SQL Server permissions and authentication problems
	Create username and password for new SQL Server database
	Recover password in SQL Server 2000

SQL Server security

FAQ: How to troubleshoot and grant SQL Server permissions

Secure SQL Server from SQL injection attacks

How insiders hack SQL databases with free tools and a little luck

Sarbanes-Oxley compliance checklist: IT security and SQL audits

SQL Server source code analysis and management adds database security

Ten common SQL Server security vulnerabilities you may be overlooking

SQL Server 2008 security and compliance features reduce security risks

Get your SQL Server security goals in order

How secure is your SQL Server network design?

Creating a SQL Server user authentication schema

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

data corruption (SearchSQLServer.com)

data hiding (SearchSQLServer.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

SEARCH

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2005 - 2008, TechTarget \| Read our Privacy Policy