Home > Archive > Microsoft SQL Server forum > March 2006 > Preventing SQL Injection attacks









You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

 

Author Preventing SQL Injection attacks
Kevin Audleman

2006-03-05, 8:33 pm

My site has come under attack from sql injections. I thought I had
things handled by replacing all single quotes with two single quotes,
aka

Replace(inputString,
"'", "''")

Alas, clever hackers have still managed to find a way to drop columns
from some of my tables. Can anybody direct me towards a best practice
document on preventing these attacks?

Thank you thank you,

Kevin

jennifer1970@hotmail.com

2006-03-05, 8:33 pm


Kevin Audleman wrote:
> My site has come under attack from sql injections. I thought I had
> things handled by replacing all single quotes with two single quotes,
> aka
>
> Replace(inputString,
"'", "''")
>
> Alas, clever hackers have still managed to find a way to drop columns
> from some of my tables. Can anybody direct me towards a best practice
> document on preventing these attacks?
>
> Thank you thank you,
>
> Kevin

jennifer1970@hotmail.com

2006-03-05, 8:33 pm

http://www.wwwcoder.com/main/parent...68/default.aspx

http://www.vbmysql.com/articles/sqlinjection.html

http://msdn.microsoft.com/msdnmag/i...9/SQLInjection/

http://shiflett.org/articles/security-corner-apr2004

http://www.microsoft.com/technet/pr...n/sp3sec03.mspx

Kevin Audleman

2006-03-05, 8:33 pm

Thank you Jennifer =)

Erland Sommarskog

2006-03-05, 8:33 pm

Kevin Audleman (audleman@quasika.net) writes:
> My site has come under attack from sql injections. I thought I had
> things handled by replacing all single quotes with two single quotes,
> aka
>
> Replace(inputString,
"'", "''")
>
> Alas, clever hackers have still managed to find a way to drop columns
> from some of my tables. Can anybody direct me towards a best practice
> document on preventing these attacks?

Learn about using parameterised commands in whichever API you are using.



--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx
Sponsored Links





Also available: Server administration forum archive | Web Design forum archive | Software forum archive | Hardware reviews archive | Programming forum archive

Copyright 2008 droptable.com