How to Prevent SQL Injection Attacks
1 Answer

SQL injection attacks occur due to poor website administration and coding. The following steps can be taken to prevent SQL injection.

1. Input validation

  • Replace all single quotes (escape quotes) to two single quotes.
  • Sanitize the input: User input needs to be checked and cleaned of any characters or strings that could possibly be used maliciously. For example, character sequences such as ; , -- , select, insert and xp_ can be used to perform an SQL injection attack.
  • Numeric values should be checked while accepting a query string value. Function - IsNumeric() for Active Server Pages (ASP) should be used to check these numeric values.
  • Keep all text boxes and form fields as short as possible to limit the length of user input.

2. Modify error reports:

SQL errors should not be displayed to outside users and to avoid this, the developer should handle or configure the error reports very carefully. These errors some time time display full query pointing to the syntax error involved and the attacker can use it for further attacks.

3. Other preventions

  • The default system accounts for SQL server 2000 should never be used.
  • Isolate database server and web server. Both should reside on different machines.
  • Most often attackers may make use of several extended stored procedures such as xp_cmdshell and xp_grantlogin in SQL injection attacks. In case such extended stored procedures are not used or have unused triggers, stored procedures, user-defined functions, etc., then these should be moved to an isolated server.
Please log in to add an answer.