SQL Injection attacks

Although I have researched SQL-Injection attacks before, as with any securty issue its important to see if new attacks have emerged.

Since I mainly develop in .NET and T-SQL a lot of the recommended input-checking etc is the same story as usual: parse input and where possible limit the characters allowed.

For many developers these kind of things are ignored initially because of the trial and error approach that they use in developing. I develop class-based and tier-based solutions and therefore any cleansing necessary can be easily implemented without duplication of code.

As a recommendation to all working on new projects, I would recommend creating separate classes or layers for data-pulling and pushing (to and from the DB). In this way, most cleansing can be done in one place and the format of the destination fields can be used to determine the limit of characters for submission to the database.

Where possible use Stored Procedures and very importantly, handle errors so no clues are returned to those attempting unauthorised access. Secondly, log failed attempts, the contents of those attempts and their originating IPs so you can adapt any methods you have in place for dealing with them.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Tags: Sql injection

Posted on 4 June '07 by Aaron, under MySQL and T-SQL (MS-SQL).

RSS feed for comments on this post.

Aaron’s Blog

SQL Injection attacks

Leave a Comment

My Twitter

Categories