How can I avoid SQL injection attacks?

by

The proper way to avoid SQL Injection attacks is NOT to simply disallow certain problematic characters, but rather to use parameterized SQL. In short, parameterized SQL prevents the database from executing raw user input as part of the SQL command this prevents user input like “drop table” from being executed. Just escaping characters does not stop all forms of SQL injection attacks and excluding certain words such as “Drop” does not work in all cases; there can be certain fields where “Drop” is a perfectly valid part of the data entry.

You can find some good articles on the subject of paramaterized SQL here:

https://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/

http://www.codeproject.com/KB/database/ParameterizingAdHocSQL.aspx

Now that you mentioned that you are working with ASP.net I can give you some links that deal specifically with SQL Injection in ASP.

https://dzone.com/articles/aspnet-preventing-sql-injectio
https://www.c-sharpcorner.com/UploadFile/75a48f/how-sql-injection-can-be-possible-in-asp-net-websites/

Here is a more general article on making your ASP more secure:
http://www.codeproject.com/KB/web-security/Securing_ASP_NET_Apps.aspx

And, of course the MSDN article on SQL injection:
http://msdn.microsoft.com/en-us/library/ms998271.aspx

More Related Contents:

  1. A good way to escape quotes in a database query string?
  2. Display dynamic image from database or remote source with p:graphicImage and StreamedContent
  3. Are Parameters really enough to prevent Sql injections?
  4. Primary keys with Apache Spark
  5. What are database normal forms and can you give examples? [closed]
  6. How to use mongoimport to import csv
  7. How to recover a corrupt SQLite3 database?
  8. How do IMMUTABLE, STABLE and VOLATILE keywords effect behaviour of function?
  9. Best way to test a MS Access application?
  10. Partial Dependency (Databases)
  11. Can I rollback a transaction I’ve already committed? (data loss)
  12. How do ACID and database transactions work?
  13. Fabric.js – how to save canvas on server with custom attributes
  14. How to disable Django query cache?
  15. Deciding between an artificial primary key and a natural key for a Products table
  16. Django’s ManyToMany Relationship with Additional Fields
  17. Is there a standard for storing normalized phone numbers in a database?
  18. How should international geographical addresses be stored in a relational database?
  19. how to use Blob datatype in Postgres
  20. Is there any option for local database like Sqlite for j2me – CLDC devices?
  21. Are database triggers necessary? [closed]
  22. Which is a good design for a database table that can be owned by two different resources, and therefore needs two different foreign keys? [closed]
  23. many-to-many relationship in database design
  24. What is the difference between Non-Repeatable Read and Phantom Read?
  25. Ideas on database design for capturing audit trails [closed]
  26. I need a client side browser database. What are my options [closed]
  27. HTML5 database storage (SQL lite) – few questions
  28. Does anyone know of a good library for mapping a person’s name to his or her gender? [closed]
  29. Minimum GRANTs needed by mysqldump for dumping a full schema? (TRIGGERs are missing!!)
  30. Is writing server log files to a database a good idea?

Leave a Comment