Remove From My Forums

How can SQL Injection be stopped?

Question
0

Sign in to vote

How can SQL Injection be stopped?

Sunday, April 24, 2016 3:35 AM

Answers

0

Sign in to vote
Just do a simple search on google and you will get lots of articles

Few are listed below

https://msdn.microsoft.com/en-us/library/ff648339.aspx

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev

http://www.veracode.com/security/sql-injection

Please Mark This As Answer if it solved your issue
Please Vote This As Helpful if it helps to solve your issue
Visakh
----------------------------
My Wiki User Page
My MSDN Page
My Personal Blog
My Facebook Page
- Proposed as answer by Shanky_621MVP Sunday, April 24, 2016 8:46 AM
- Marked as answer by Lydia ZhangMicrosoft contingent staff Wednesday, May 4, 2016 9:46 AM
Sunday, April 24, 2016 5:16 AM
0

Sign in to vote
How can SQL Injection be stopped?

Electric shocks in the keyboard everytime a developer inlines parameters into the SQL string.

Preventing SQL injection is all about discipline and education.
- Proposed as answer by Naomi N Wednesday, April 27, 2016 1:41 AM
- Marked as answer by Lydia ZhangMicrosoft contingent staff Wednesday, May 4, 2016 9:46 AM
Sunday, April 24, 2016 11:05 AM

All replies

0

Sign in to vote
Just do a simple search on google and you will get lots of articles

Few are listed below

https://msdn.microsoft.com/en-us/library/ff648339.aspx

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev

http://www.veracode.com/security/sql-injection

Please Mark This As Answer if it solved your issue
Please Vote This As Helpful if it helps to solve your issue
Visakh
----------------------------
My Wiki User Page
My MSDN Page
My Personal Blog
My Facebook Page
- Proposed as answer by Shanky_621MVP Sunday, April 24, 2016 8:46 AM
- Marked as answer by Lydia ZhangMicrosoft contingent staff Wednesday, May 4, 2016 9:46 AM
Sunday, April 24, 2016 5:16 AM
0

Sign in to vote

One simple way is using stored procedures with parameters (I assume you won't provide a WHERE condition as a string as a parameter :-))
Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/

MS SQL optimization: MS SQL Development and Optimization
MS SQL Consulting: Large scale of database and data cleansing
Remote DBA Services: Improves MS SQL Database Performance
SQL Server Integration Services: Business Intelligence

Sunday, April 24, 2016 6:14 AM
0

Sign in to vote
How can SQL Injection be stopped?

Electric shocks in the keyboard everytime a developer inlines parameters into the SQL string.

Preventing SQL injection is all about discipline and education.
- Proposed as answer by Naomi N Wednesday, April 27, 2016 1:41 AM
- Marked as answer by Lydia ZhangMicrosoft contingent staff Wednesday, May 4, 2016 9:46 AM
Sunday, April 24, 2016 11:05 AM
0

Sign in to vote
Hi Research4,

Regarding Dynamic SQL:

Using sp_executesql stored procedure rather than EXEC. You can use parameters.

You will avoid classic concatenations along with ''
- Edited by Enric Vives Sunday, April 24, 2016 12:18 PM
Sunday, April 24, 2016 12:18 PM
0

Sign in to vote

How can SQL Injection be stopped?

Electric shocks in the keyboard everytime a developer inlines parameters into the SQL string.

Preventing SQL injection is all about discipline and education.

A great idea...LOL
Cheers,

Shashank
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

My TechNet Wiki Articles
MVP

Monday, April 25, 2016 5:45 AM
0

Sign in to vote

you can simply prevent SQL injection by using stored procedures. it takes the injected code as a variable and returns an empty result set. Please have a look on here: http://www.sqlserverlogexplorer.com/prevent-sql-injection-in-sql-server/

Stored procedure certainly helps but not:

1) If bad developer builds an EXEC string rather than using CommandType.StoredProcedure.
2) Bad developer builds dynamic SQL improperly in the stored procedure.

Monday, April 25, 2016 9:24 PM
1

Sign in to vote

you can simply prevent SQL injection by using stored procedures. it takes the injected code as a variable and returns an empty result set. Please have a look on here: http://www.sqlserverlogexplorer.com/prevent-sql-injection-in-sql-server/

This article is full of platitudes and errors. The recommended remedy is also incorrect and can lead new users to a false sense of security. The article ends with some random statement telling users to use undocumented functions to read the t-log. How does that prevent SQL injection?

Please stop referencing this article.

No great genius has ever existed without some touch of madness. - Aristotle

Tuesday, April 26, 2016 5:19 PM
0

Sign in to vote

Its basically log reading tool advertisement
Cheers,

Shashank
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

My TechNet Wiki Articles
MVP

Tuesday, April 26, 2016 6:02 PM

Answered by:

How can SQL Injection be stopped?

Question

Answers

All replies