More on SQL injection

In SQL databases,

anything following the quote ( ‘ ) is considered code.  So, If we want to check if a website is vulnerable to SQL injection, we just need to type a single quote in the URL. The website may vomit an error saying argument is invalid SQL result resource or there is an error in your SQL syntax etc… This would prove the website is SQL injectable.

Besides the quote character, other characters can also be used to check SQL injection. Like, In case of Oracle, blank space, comma or double quote characters.

Preventing SQL injection

To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parameterized statements must be used (preferred), or user input must be carefully escaped or filtered.

Source: wikipedia

How To: Protect From SQL Injection in ASP.NET

protect mysql db :

protect Oracle db:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s