defending sql injection attacks

  • can someone tell me the ways we can keep defending against sql injection attacks.

    Sql injection attacks are trials done by users .. like entering strings like "insert into table1 values(1,"abc")" rather entering the text input string and finally achieve their target of modifying the data without the knowledge of Application Admin. Thanks in advance

  • Do not allow users direct access to tables by creating views.

    Create groups, assign group permissions, assign users to a group.

    Use only stored procedures, and when expecting user input use Stored procedures containing parameters defining the parameter's size / type to the size / type of the column.

    Read articles such as:

    http://msdn.microsoft.com/en-us/magazine/cc163917.aspx

    If everything seems to be going well, you have obviously overlooked something.

    Ron

    Please help us, help you -before posting a question please read[/url]
    Before posting a performance problem please read[/url]

  • Use parameters in your client side code as well. Don't

    Myvar.Execute "myproc " & myparam

    Use the proper parameter client side methods (add to the call as methods, not concatenations) when calling stored procedures.

  • If you absolutely MUST use dynamic SQL, make it parameterized instead of a concatenated string. You can then call sp_executesql and pass the appropriate paramters.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply