Manage Learn to apply best practices and optimize your operations.

Avoid SQL injection with these best practices

Avoiding SQL Server injection through validating data may be tedious, but it is usually simple and always worthwhile.

Can you offer best practices to avoid SQL (Server) injection?
Some sound advice on the subject can be found at SQLSecurity.com. The Web site is run by Chip Andrews, the fellow who coined the phrase "SQL injection." Most of the advice follows a repeating battle cry: Sanitize all data coming in to your application (whether from human input, browser user-agent strings or cookies). Validate that when you're expecting a numeric, you receive a numeric. Most of it is simple once you get the hang of it, but it's a pain when you're trying to whip out a quick Web application. The trouble is quick Web apps tend to grow into enterprise mission-critical systems. Things that didn't seem important when you were making a quick little program to track jelly beans (such as data input validation) become monstrous issues when your application controls the worldwide inventory of a Jelly Bean factory. Here are some additional resources to help you prevent SQL injection attacks:
  • Automate SQL injection testing
  • Checklist: How to test SQL Server security
  • Discover and lock down vulnerable SQL Server services
  • Dig Deeper on SQL Server Security

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.