Find solution
How will this affect chances of preventing SQL injection?

SQL Injection Prevention. What defense should I use?

  • So, soon I will have logins, .asp, SQL server, etc.. on my servers. My question I guess is, what would your opinion be on the type of defense I should take on this? I understand each different approach, but I'm curious as to what I should use, let's say for instance, external filtering. If I get a filter what would be a good recomendation? Sanctum? AppShield? But then I have to worry about certain innovative injections not being caught by the application I choose. Correcting the coding flaws won't always work. Suggestions and opinions on SQL Injections, and other web application security is suggested. Kinda just wanting to discuss this matter because it's the main source of attacks. Firewalls aren't blocking access to my website.

  • Answer:

    Preventing SQL injection The various techniques used to prevent SQL injections are: 1. Parameterized query 2. Stored procedure 3. Regular expression to discard input string 4. Quoteblock function 5. Don’t show detailed error messages to the user. 6. Have a less privileged user/role of your application in database. SQL injections can be prevented. However there are myths about them (like if I am using stored procedure I am safe). One rule still follows: ‘Don't show detailed error messages to the user’. The basic mantra to prevent SQL injections is to let the string input as a string input to the SQL Server. This can be done by checking the string terminator character before giving the input to the server. Some techniques like using parameterized query and using stored procedures will do it free for you. However I would still suggest you to use the Quoteblock function inside them (MS SQL Server). The other prevention will be only carefully deciding the grant of the execute command to the service account which you are using to make the communication possible between the SQL server and the web server. One handy tip is not to use dynamic SQL in your application. Dynamic SQL is like (MS SQL). Hope this will help.

Secure-R... at Yahoo! Answers Visit the source

Was this solution helpful to you?

Other answers

Wow, It has been about two years since I ever even read about SQL Injection. As I am not up to speed with all of the procedures, to my understanding the best way to prevent it is to create restrictions on the user input. Chances are that a true hacker will have no interest on your site. Because script-kiddies will be your biggest threat, use the programs that they would use. Their are some great web application scanners available. I can't recall the names right now, but I will look them up in some of my books and add them to the post. What is the function of the website? You mentioned logins and, obviously, SQL. Are you going to run a web application? Again, just do some research on SQL as I know that their is a lot of information on it on the different hacker-sites. Packet Storm is bound to have some information and programs that can assist you. Please email me if necessary.

ipndrmath

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.