SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. Injected SQL commands can alter SQL statement and compromise the security of a web application. A SQL injection attack can occur when a web application utilises user-supplied data without proper validation or encoding as part of a command or query.

 

Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks.

To protect a web site from SQL injection attacks, is to use SQL parameters. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner. That parameters are represented in the SQL statement by a @ marker.

Primary Defenses:

Option #1: Use of Prepared Statements (Parameterized Queries)

Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied.

Option #2: Use of Stored Procedures

The difference between prepared statements and stored procedures is that the SQL code for a stored procedure is defined and stored in the database itself, and then called from the application.

Option #3: Escaping all User Supplied Input

Each DBMS supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities.

Additional Defenses:

Also Enforce: Least Privilege

Also Perform: White List Input Validation