Avoiding SQL Injection Attacks !!!

Posted Date: 27 Nov 2006	Resource Type: Articles	Category: Databases
Author: Gaurav Sharma (http://gauravsh27.blogspot.com)	Member Level: Silver
Rating:	Points: 5

1. Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie

2. For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.

3. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

4. Delete stored procedures that you are not using like:
Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask from master database.

5. USE THIS CODE IN YOUR ASP CODE SO AS TO FILTER OUT Single Quote
Login=trim(replace(request("Login"),"'","''"))

6. Avoid using traditional table name like login, user, member etc.

7. Avoid using table column like UserID, UserName, Password, Name, ClientID, MemberID, MemberName etc.

8. Avoid using the textbox name in ASP pages similar to table “column name”.

9. Avoid using the JavaScript variable name similar to table “column name”.

10. MaxLength of the input textbox of ASP pages should set equal to the length of the field in table.

11. Use Naming conventions in the input object names and variable names in ASP pages.

Responses

No responses found. Be the first to respond and make money from revenue sharing program.

Feedbacks

Popular Tags

What are tags ?

Search Tags

(No tags found.)

Post Feedback

This is a strictly moderated forum. Only approved messages will appear in the site. Please use 'Spell Check' in Google toolbar before you submit.
You must Sign In to post a response.

	Next Resource: Fill Factor in SQL Server
	Previous Resource: Delete VS Truncate ...
	Return to Discussion Resource Index
	Post New Resource
	Category: Databases

Post resources and earn money!

More Resources