SQL Injection is the most common
threat that a web application usually faces. SQL Injection is a type of attack
where in the hacker inserts malicious code into strings, that are passed to an
instance of SQL Server for parsing and execution. All procedures that construct
SQL statements should be reviewed for injection vulnerabilities, because SQL
server executes all scripts that are syntactically accurate.A determined attacker can even
manipulate parameterized data.
Developers should follow the
below instructions to avoid injection attacks.
1.
Validate all input
2.
Use Type-Safe SQL Parameters
3.
Use parameterized input with stored procedures.
4.
Use the parameters collection with dynamic SQL.
5.
Filtering input may also be helpful in protecting against SQL
injection by removing escape characters.
6.
Note that if you are using a LIKE clause, wildcard characters
still must be escaped.
Here is a sample video on
Youtube.COM which shows SQL Injection-
No comments:
Post a Comment