|
|||||||||||||||||
 |
|||||||||||||||||
|
How to protect site for sql injection
The most common methods to prevent this kind of SQL injection vunerability are to check the user’s input for dangerous characters like single-quotes; and using prepared statements, which tell the database exactly what to expect before any user-provided data is passed to it.  One should keep in mind, not everyone uses mysql you need to understand your database
know your escape characters
know what characters can cause problems
the key to stopping injections is to know what you are trying to stop.
You should decide whether the input given is acceptable or not and bounce it back to the user if it isn’t
you can also setup logs
log all data that doesn’t validate, make sure that the validation routines you write are doing what they are supposed to and not causing errors due to unforseen exceptions.
<added> sort of partial information
Logging everything, success, failure, anything. I don’t like deleting anything, Having full tracks is great option. Cross referencing apache logs with db info and validation logs, all of these help ene understand what is happening with a site.
If the input is supposed to be a State/Country/etc., make sure that is what it is.
If it is a phone number, make sure it is a number…
If it is an ISBN, make sure it is an ISBN…
If it is a SKU, make sure it is a SKU…
An email should be an email…
An URL, an URL…
Time, time…
Date, date…
Limit field sizes realistically, and check input to be sure it is under the limit.
There is very little input that is not identifiable by type, value, format, size or structure. Use what is known to screen input before it gets anywhere near a db call routine.
it really depends where you log. For forms where the user is already authenticated I use info out of the session to uniquely identify them. For public stuff, Â just log as much info as I can. You may also want things like user agent as that may affect things.
both syslog and custom logfiles are used
syslog is awesome though because of it’s fire and forget way of doing things.
The log auth scripts, knowing when and why people get kicked out is very important.
Related posts
1 Response to “How to protect site for sql injection”
Leave a Reply
Subscribe
You can subscribe by email to receive newsletter updates:
Subscribe through a RSS feed reader
Quotes From Home Security Systems said on Wednesday, February 20, 2008, 8:37
Home Appliance Insurance: Add An Extra Security!…
Quite honestly, anyone who owns a house needs a home insurance; but this home insurance of yours may not give you an extensive coverage to cover all the appliances of your homes. So insure the appliances of your homes with home appliance insurance….