Home Forums SQL Server 2008 SQL Server 2008 - General How to prevent SQL Injection Attack from SQL server side RE: How to prevent SQL Injection Attack from SQL server side

  • June 26, 2013 at 7:55 am

    #1627568

    Preventing SQL Injection is a multi-tiered approach.

    1. The application needs to inspect the strings where there was input from the user

    Here is an MSDN article which lists characters which should be removed from the strings:

    http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx

    2. On the SQL Server, you would

    a. as stated before, only give minimal permissions for the application

    b. use stored procedures or parameterized queries

    None of these are quick changes, other than perhaps restricting the permissions that the application has and testing to see if it breaks anythign.

    SQL Injection is one of those things that need to be considered at the very beginning of application and database design, not an after thought. The DBA should make and enforce standards for accessing the database.

    article:

    http://msdn.microsoft.com/en-us/magazine/cc163917.aspx

    Steve