Protect against SQL Injection by whitelisting

OK, admittedly the best practice for guarding against SQL Injection attacks is to white-ist acceptable characters. However, given that knowledge is power, is there a comprehensive list of special characters (such as the single-quote or double-hyphen) available for SQL Server? I have done a ton of searches and can't seem to find one (I did find the reserved words).

Steven Andres, Special Ops Security

Published: 23 Mar 2007

OK, admittedly the best practice for guarding against SQL Injection attacks is to white-list acceptable characters. However, given that knowledge is power, is there a comprehensive list of special characters (such as the single-quote or double-hyphen) available for SQL Server? I have done a ton of searches and can't seem to find one (I did find the reserved words).

SQL is such a powerful language (some would say too powerful) that there isn't a really good list to use for blacklisting. You're right on the money, that whitelisting is your first line of defense. I always like to use a RegEx function to filter all my user provided input. If the data passes the RegEx, then I pass it through a very simple blacklist function as a just-in-case. To date, I haven't seen anything in any application I've written that ever fired off the blacklist function because the whitelist is much more powerful. Whitelisting isn't as hard as you may think; a bunch of examples of RegEx in ASP and PHP abound and you can get really great examples of RegEx strings at www.regexlib.com.

Dig Deeper on SQL Server Security

Security Think Tank: Best practice to target SQLi Why does SQL injection remain a successful way of attacking web applications?

Can I use special characters in Oracle table names? Learn why you may want to avoid using special characters in Oracle table names when they also have meaning in utilities or SQL scripts in this tip from Oracle database expert Brian Peasland.

wildcard character A wildcard character is a special character that represents one or more other characters.

How to list rows with special characters in PL/SQL Want to learn how to list rows with special characters in PL/SQL? Read this tip from our PL/SQL expert for advice on how to write a PL/SQL query using the translate, char or trunk functions.

Top 10 SQL Server development tips of 2008 Here are the top 10 most viewed SQL Server development tips of 2008. From converting date/time values into character types, working with DATETIME and SMALLDATETIME in SQL Server 2005, using a stored procedure to find the size of SQL Server tables and retrieving XML data values with XQuery, these were the topics that made you click in 2008.

Using remote AS400 commands in a Windows environment RUNRMTCMD is the AS400 implementation of REXEC client and it supports 2000 characters, but the REXEC daemon from iSeries Access only supports up to 1000 characters. To run a long command, such as a SQL Server IS package, you will want to use a different REXEC daemon.

Related Q&A from Steven Andres

Creating a login in SQL Server 2000 Enterprise Manager

Find how to create a SQL Server 2000 login account and then set user account rights to specific databases with "db_owner." Continue Reading

SQL Server connection lost when SA password is changed

Learn why SQL Server 2000 connection is lost on the client side when database administrator changes 'SA' password on the SQL Server domain. Continue Reading

Creating a SQL Server user authentication schema

Learn how to create a SQL Server user authentication schema having password and tracked data changes requirements and how it involves Windows ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our SQL Server experts

View all SQL Server questions and answers

SearchBusinessAnalytics

Alteryx 2019.4 highlighted by new integration with Tableau

New integrations with Tableau that enable easier data management and Mapbox to provide street-level map views come with the ...

BI vendors jump into low-code/no-code tools for developers

A spate of BI vendors included easy-to-use tools for developers in their recent updates, perhaps marking the start of a new trend...

Sisense analytics platform update features AI, data prep tool

Augmented intelligence features and an in-warehouse data prep tool highlight Sisense's latest update, its second since acquiring ...

SearchDataCenter

Comparing Linux distributions: Red Hat vs. Ubuntu

Before selecting a Linux distribution, compare Red Hat Enterprise Linux and Ubuntu when it comes to features, ease of use, ...

Get eco-friendly with LEED data center certification

The U.S. Green Building Council helps companies make existing and new data centers eco-friendly. HVAC, lighting and monitoring ...

Top 4 open source automation tools for admins

Open source offerings are an easy way to bring automation into your organization. When selecting software, evaluate the user ...

SearchDataManagement

Data warehouse technologies evolve as vendors look skyward

The need for high-speed analytics and low latency are pushing data warehousing vendors to create and reinvent their platforms and...

Top database cloud migration considerations for enterprises

As the amount of incoming data grows, many organizations are switching to cloud databases. Understanding what database best meets...

Amazon cloud database and data analytics expand

AWS expands its Redshift data warehouse capabilities including managed storage and query acceleration at the re:Invent 2019 ...

SearchAWS

AWS seeks niche in the cloud UC market

AWS could play a bigger role in the cloud UC market in 2020 and beyond by targeting developers and existing AWS customers.

National Australia Bank cashes in on AWS training and certification

Structured training got nearly 1,000 National Australia Bank employees certified on AWS, while AWS-honed tactics such as ...

Overcome these VMware Cloud on AWS migration challenges

Plan ahead for a VMware-to-AWS cloud migration with this breakdown on common challenges organizations face during the move to ...

SearchOracle

Oracle Autonomous Database shifts IT focus to strategic planning

This handbook looks at what Oracle Autonomous Database offers to Oracle users and issues that organizations should consider ...

Oracle Autonomous Database features free DBAs from routine tasks

Oracle Autonomous Database can automate routine administrative and operational tasks for DBAs and improve productivity, but ...

Oracle co-CEO Mark Hurd dead at 62, succession plan looms

Oracle co-CEO Mark Hurd's abrupt death at 62 has put the software giant in the position of naming his replacement, and the ...

SearchContentManagement

Personalization engines help engage and retain customers

Content personalization is essential to getting the right material to the right customers. Here are some personalization engines ...

New capabilities added to Alfresco Governance Services

The updates are intended to secure electronically stored information residing across different locations in light of recent ...

Top 5 Office 365 skills for SharePoint administrators

Microsoft SharePoint administrators need to branch out in their Office 365 skill set to support products tightly integrating with...

SearchWindowsServer

What admins need to know about Azure Stack HCI

Microsoft put its branding on a relatively new hyper-converged infrastructure offering that capitalizes on the software-defined ...

How to manage Exchange hybrid mail flow rules

Duplicating your existing transport rule collection won't work when you move to an Exchange hybrid deployment. Learn how to set ...

How to repair Windows Server using Windows SFC and DISM

Administrators can diagnose and treat a buggy server operating system by using the Windows SFC and DISM utilities for image ...

Protect against SQL Injection by whitelisting

Dig Deeper on SQL Server Security

Related Q&A from Steven Andres

Creating a login in SQL Server 2000 Enterprise Manager

SQL Server connection lost when SA password is changed

Creating a SQL Server user authentication schema

Have a question for an expert?

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchBusinessAnalytics

Alteryx 2019.4 highlighted by new integration with Tableau

BI vendors jump into low-code/no-code tools for developers

Sisense analytics platform update features AI, data prep tool

SearchDataCenter

Comparing Linux distributions: Red Hat vs. Ubuntu

Get eco-friendly with LEED data center certification

Top 4 open source automation tools for admins

SearchDataManagement

Data warehouse technologies evolve as vendors look skyward

Top database cloud migration considerations for enterprises

Amazon cloud database and data analytics expand

SearchAWS

AWS seeks niche in the cloud UC market

National Australia Bank cashes in on AWS training and certification

Overcome these VMware Cloud on AWS migration challenges

SearchOracle

Oracle Autonomous Database shifts IT focus to strategic planning

Oracle Autonomous Database features free DBAs from routine tasks

Oracle co-CEO Mark Hurd dead at 62, succession plan looms

SearchContentManagement

Personalization engines help engage and retain customers

New capabilities added to Alfresco Governance Services

Top 5 Office 365 skills for SharePoint administrators

SearchWindowsServer

What admins need to know about Azure Stack HCI

How to manage Exchange hybrid mail flow rules

How to repair Windows Server using Windows SFC and DISM

Dig Deeper on SQL Server Security

Related Q&A from Steven Andres

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.