Wednesday, 31 July 2013

What is SQL Injection and How to avoid it?

SQL injection happens if the user input is not properly validated

This is just to play around with the database queries


To Avoid SQL Injection


  • Encrypt sensitive data.
  • Access the database using an account with the least privileges necessary.
  • Install the database using an account with the least privileges necessary.
  • Ensure that data is valid.
  • Do a code review to check for the possibility of second-order attacks.
  • Use parameterised queries.
  • Use stored procedures.
  • Re-validate data in stored procedures.
  • Ensure that error messages give nothing away about the internal architecture of the application or the database.



No comments:

Post a Comment