johnaadams — 2011-10-19T19:48:29-04:00 — #1
Can anybody tell me how to prevent sql injection attack on a website..
felgall — 2011-10-19T21:08:10-04:00 — #2
Except where the query itself needs to be dynamically generated you should use prepare/bind so as to keep the SQL and the data separate.
Most instances where the query needs to be dynamically generated can also use prepare/bind although the coding can sometimes be a bit more complicated in order to map the data to the right places in the query.
johnaadams — 2011-10-20T14:38:22-04:00 — #3
The answers looks simple but its solution is very hard . Am still reseaching the same thing prevent attack by sql injection.
Thanks for the suggestion.
eldad — 2011-10-24T12:08:23-04:00 — #4
If you are reluctant from applying code based solutions for SQL Injection you can consider adding an external security layer like a web application firewall.
I am not sure if I can post direct links to commercial services. However, there is a new market of web security and performance cloud services. Most have some kind of free offering for small sites.
Instead of sending you links to the services (and probably getting nasty messages from the forum moderators) I am sending a link that reviews the two leading solutions in this space. You can choose for yourself.
Hope this helps.
felgall — 2011-10-24T14:10:54-04:00 — #5
What is so hard about using prepare and bind? For most queries it is no more complicated than the alternatives that are vulnerable to injection.
The only complication is when you are dynamically building the query that you need to dynamically build the parameter list for the bind at the same time.
The only part of a query that can't be made into data and passed in via the bind and which would therefore still be vulnerable is where you want to allow your visiitor to specify the table name - and that would be extremely rare.
johnaadams — 2011-10-25T19:20:18-04:00 — #6
ok .. thanks for your help felgall ......
cmsfan — 2011-12-15T10:23:17-05:00 — #7
one thinkg that will help is to check the data that i being send in the link, if you expect character (only) do a check if there are no numbers in it, if you expect numbers in your script do a check so it only accept numbers.
Its a simple addiion that dont take up much server time, tho at least help you protect something.
felgall — 2011-12-15T13:24:29-05:00 — #8
That test should have been done when the data is first read in - long before it is sent to the database (and done regardless of whether it is even to be sent to a database).
At best not validating the input data means that you waste time processing garbage.