Can you offer best practices to avoid SQL (Server) injection?
Some sound advice on the subject can be found at
. The Web site is run by Chip Andrews, the fellow who coined the phrase "SQL injection." Most of the advice follows a repeating battle cry: Sanitize all data coming in to your application (whether from human input, browser user-agent strings or cookies). Validate that when you're expecting a numeric, you receive a numeric. Most of it is simple once you get the hang of it, but it's a pain when you're trying to whip out a quick Web application. The trouble is quick Web apps tend to grow into enterprise mission-critical systems. Things that didn't seem important when you were making a quick little program to track jelly beans (such as data input validation) become monstrous issues when your application controls the worldwide inventory of a Jelly Bean factory. Here are some additional resources to help you prevent SQL injection attacks:
Automate SQL injection testing
Checklist: How to test SQL Server security
Discover and lock down vulnerable SQL Server services
Dig Deeper on SQL Server Security
Find how to create a SQL Server 2000 login account and then set user account rights to specific databases with "db_owner."
Learn why SQL Server 2000 connection is lost on the client side when database administrator changes 'SA' password on the SQL Server domain.
Learn how to create a SQL Server user authentication schema having password and tracked data changes requirements and how it involves Windows ...
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.