SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member JohnAadams's Avatar
    Join Date
    Oct 2011
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How can we protect our website from sql injection

    Can anybody tell me how to prevent sql injection attack on a website..

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,789
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Except where the query itself needs to be dynamically generated you should use prepare/bind so as to keep the SQL and the data separate.

    Most instances where the query needs to be dynamically generated can also use prepare/bind although the coding can sometimes be a bit more complicated in order to map the data to the right places in the query.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Member JohnAadams's Avatar
    Join Date
    Oct 2011
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The answers looks simple but its solution is very hard . Am still reseaching the same thing prevent attack by sql injection.

    Thanks for the suggestion.

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2011
    Posts
    35
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you are reluctant from applying code based solutions for SQL Injection you can consider adding an external security layer like a web application firewall.
    I am not sure if I can post direct links to commercial services. However, there is a new market of web security and performance cloud services. Most have some kind of free offering for small sites.
    Instead of sending you links to the services (and probably getting nasty messages from the forum moderators) I am sending a link that reviews the two leading solutions in this space. You can choose for yourself.
    http://www.husdal.com/2011/07/01/inc...us-cloudflare/

    Hope this helps.
    Incapsula:
    Maximum Security and Performance for any Web Site - FREE Signup

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,789
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by JohnAadams View Post
    The answers looks simple but its solution is very hard . Am still reseaching the same thing prevent attack by sql injection.

    Thanks for the suggestion.
    What is so hard about using prepare and bind? For most queries it is no more complicated than the alternatives that are vulnerable to injection.

    The only complication is when you are dynamically building the query that you need to dynamically build the parameter list for the bind at the same time.

    The only part of a query that can't be made into data and passed in via the bind and which would therefore still be vulnerable is where you want to allow your visiitor to specify the table name - and that would be extremely rare.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    SitePoint Member JohnAadams's Avatar
    Join Date
    Oct 2011
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok .. thanks for your help felgall ......

  7. #7
    SitePoint Enthusiast cmsfan's Avatar
    Join Date
    Dec 2011
    Location
    holland
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    one thinkg that will help is to check the data that i being send in the link, if you expect character (only) do a check if there are no numbers in it, if you expect numbers in your script do a check so it only accept numbers.
    Its a simple addiion that dont take up much server time, tho at least help you protect something.

  8. #8
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,789
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by cmsfan View Post
    one thinkg that will help is to check the data that i being send in the link, if you expect character (only) do a check if there are no numbers in it, if you expect numbers in your script do a check so it only accept numbers.
    That test should have been done when the data is first read in - long before it is sent to the database (and done regardless of whether it is even to be sent to a database).

    At best not validating the input data means that you waste time processing garbage.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •