” Security doesn’t suffers because of Hackers, It suffers because of unaware developers and inappropriate programming techniques”.
“You can never stop hackers to hack something, you can just make his task harder by putting some extra security”
Complete Guide to Stop or Prevent SQL injection |
“Little knowledge is a dangerous thing”.
1. Avoiding use of dynamic queries.2. Not allowing user inputs in your queries
1. Use dynamic SQL if and only if there is no other alternative2. Escape user input always3. Always assume magic quotes is off4. Install security updates and patches regularly5. Remove all the dead SQL’s or other codes that you don’t use6. Never display the system defined error message for SQL errors7. Store database credentials in a separate file8. Use the principle of least privilege9. Disable shells10. Use SQL injection Hack tools to check vulnerabilities
string cmdText=string.Format(“SELECT * FROM Customers “+
“WHERE Country='{0}'”, countryName);
SqlCommand cmd = new SqlCommand(cmdText, conn);
string commandText = “SELECT * FROM Customers “+
“WHERE Country=@CountryName”;
SqlCommand cmd = new SqlCommand(commandText, conn);
cmd.Parameters.Add(“@CountryName”,countryName);
Stored procedures can be written to validate any input that is sent to them to ensure the integrity of the data beyond the simple constraints otherwise available on the tables. Parameters can be checked for valid ranges. Information can be cross checked with data in other tables.
$username = $_POST[‘username’];
$password = $_POST[‘password’];
if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);
Leave a Reply