Home Forums SQL Server 2005 SQL Server 2005 Security SQL INJECTION RE: SQL INJECTION

  • November 6, 2009 at 11:06 am

    #1076042

    Very generic question...

    First and best way to prevent any SQL injection:

    * Don't allow clients to create dynamic SQL. Secure the complete database with a stored procedures interface

    * Do not use any dynamic SQL within those procedures.

    For new-school client technologies:

    Today O/R-Mapper frameworks become more and more common. Use well known frameworks like (N)Hibernate or Entity Framework. The large frameworks always ensure a correct and not injectable SQL. Don't use rebel frameworks. Don't use the custom SQL features (if any) of these frameworks.

    More optimistic prevention (which still can work):

    If you don't use a O/R-Mapper and your client apps generate dynamic SQL statements. Tell the developers never to add values as strings. Always use the data provider interfaces like SqlCommand objects in .NET

    Greets

    Flo