ifacethoughts

SQL Injection

SQL Injection is probably the best reason, other than speed of execution sometimes, to use stored procedures instead of dynamic SQL queries. Ill-intentioned users can inject character literals through their input that can be used to comment out part of the query being executed. Scott Glu has a tip on ways of preventing it (via Miguel de Icaza). It is specific to .Net, but can easily be extended to any other language/platform.

Discussion [Participate or Link]

  1. Code Injection And Not Just SQL on iface thoughts said:

    […] Brian Sullivan points out that code injection need not be always through SQL. Though SQL injection is popular, malicious code can be injected through user input during any data retrieval, including for XML and LDAP. He discusses some techniques for protecting against the injection with the common principle of validating every single input from the user. Having a whitelist instead of a blacklist can help as usually you know the allowed parameters and the set of invalid parameters can be infinite. A good article. […]

  2. Format String Vulnerabilities on iface thoughts said:

    […] technique is conceptually very obviously similar to other injection techniques, like SQL Injection, where the user can provide (inject) malicious input which is not correctly handled by the […]

  3. Preventing SQL Injection | iface thoughts said:

    […] in a very clear and detailed manner, explains the various ways of preventing SQL Injection. SQL Injection is one of the biggest security worries. If not handled properly you can leave your entire […]

Say your thought!

If you want to use HTML you can use these tags: <a>, <em>, <strong>, <abbr>, <code>, <blockquote>. Closing the tags will be appreciated as this site uses valid XHTML.

freshthoughts

contactme

Abhijit Nadgouda
iface Consulting
India
+91 9819820312
My bookmarks

badgesand...

This is the weblog of Abhijit Nadgouda where he writes down his thoughts on software development and related topics. You are invited to subscribe to the feed to stay updated or check out more subscription options. Or you can choose to browse by one of the topics.