- Use QUOTENAME to wrap user supplied parameters to prevent Sql Injection y delimiting it. Only works with sys objects - table names, column names etc with nvarchar 128.
- REPLACE all single quotes with double quotes for simple string parameters and delimit the parameters.
- Make sure that all parameters passed in are validated at the client application layer
- For Dynamic String Executions in Stored procedure, you can even create a login-less user with very low privileges to execute that DSE within the stored procedure. This is done by restricting the execution context with EXECUTE AS
Friday, September 12, 2014
Avoiding Sql Injection
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment