welcome Netizen

Share Your Knowledge.It is a way to achieve immortality

Saturday, July 20, 2013

How to avoid SQL injection?

By using stored procedure we can easily avoid the sql injection. mostly sql injection possible only on inline query because we used quotes to insert or update command.
 Following Benefits using stored procedure: 
  1. The user input is not enclosed inside the single quotes. It is rather being passed as parameter to the SQL statement.
  2. The function sp_executesql is being used to execute with the parameter list and the parameterized SQL statements.
Measures to avoid SQL injection
  1. Validate all input coming from the user on the server.
  2. Avoid the use of dynamic SQL queries if there an alternate method is available.
  3. Use parameterized stored procedure with embedded parameters.
  4. Execute stored procedures using a safe interface such as Callable statements in JDBC or CommandObject in ADO.
  5. Use a low privileged account to run the database.
  6. Give proper roles and privileges to the stored procedure being used in the applications.


Post a Comment