Wrox Programmer Forums
Go Back   Wrox Programmer Forums > Database > SQL Language
Reload this Page how avoid to sql injections in web form
|
SQL Language SQL Language discussions not specific to a particular RDBMS program or vendor.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the SQL Language section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old June 21st, 2010, 05:48 AM
Registered User
  
Join Date: Jun 2010
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default how avoid to sql injections in web form
Hi,
can anyone suggest me how to avoid sql injection in web form
Last edited by tester007; June 21st, 2010 at 05:54 AM..
 
Old June 21st, 2010, 11:59 PM
Friend of Wrox
  
Join Date: Jun 2003
Posts: 996
Thanks: 2
Thanked 11 Times in 11 Posts
Send a message via Yahoo to melvik
Default
hello there:
SQL Injection solutions:
  • All input to the app from a user, a component, or another program shoul dbe validated
  • Use parameterized SQL querirs
  • Use Stored Procedure
  • Use SQL execute-only primission
  • Use proper escaping for SQL identifiers and Data Definition Language (DDL) statement
  • Handle buffer lengths property
  • Use a Least-Privileged Database Acount
  • Avoid Disclosing Detailed Error Information

These r General but u may Google each to get more info about

HTH
__________________
Always,
Hovik Melkomian.
 
Old June 22nd, 2010, 01:58 AM
Friend of Wrox
  
Join Date: Jun 2007
Posts: 477
Thanks: 10
Thanked 19 Times in 18 Posts
Default
The key thing to do is use parameters in your SQL statements. If you concatenate user input, it can be interpreted as part of the SQL command; hence the danger of SQL injection attacks. If you specify the user input as a parameter, then the DB understands what parts are SQL command and what is data. Someone can attempt a SQL injection attack, but it won't affect the command that is run which eliminates the danger.
__________________
-------------------------

Whatever you can do or dream you can, begin it. Boldness has genius, power and magic in it. Begin it now.
-Johann von Goethe

When Two Hearts Race... Both Win.
-Dove Chocolate Wrapper

Chroniclemaster1, Founder of www.EarthChronicle.com
A Growing History of our Planet, by our Planet, for our Planet.





Similar Threads
Thread Thread Starter Forum Replies Last Post
Avoid some tags in .Net web services call moncholv .NET Web Services 0 October 26th, 2009 07:57 PM
SQL Injections Prevention phungleon Classic ASP Databases 1 April 8th, 2005 12:23 PM
SQL back to web form gwalker_ne8 Classic ASP Databases 6 February 22nd, 2005 02:23 PM
How can i avoid a form from being displayed ? MisbahAnsari VB.NET 1 September 17th, 2003 12:48 PM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.