More on SQL injection

In SQL databases,

anything following the quote ( ‘ ) is considered code.  So, If we want to check if a website is vulnerable to SQL injection, we just need to type a single quote in the URL. The website may vomit an error saying argument is invalid SQL result resource or there is an error in your SQL syntax etc… This would prove the website is SQL injectable.

Besides the quote character, other characters can also be used to check SQL injection. Like, In case of Oracle, blank space, comma or double quote characters.

Preventing SQL injection

To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parameterized statements must be used (preferred), or user input must be carefully escaped or filtered.

Source: wikipedia

How To: Protect From SQL Injection in ASP.NET

http://msdn.microsoft.com/en-us/library/ms998271.aspx

protect mysql db :

http://digg.com/linux_unix/How_To_Protect_MySQL_Database_From_SQL_Injection_Attacks

protect Oracle db:

http://www.securityfocus.com/infocus/1646

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s