Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Re: Preventing malicious T-SQL injection attacks

by jonadab (Parson)
on Mar 05, 2007 at 12:35 UTC ( #603199=note: print w/replies, xml ) Need Help??

in reply to Preventing malicious T-SQL injection attacks

I guess that it might be an idea to limit the SPROCs that can be called. It might be an idea to make it impossible to activate any SPROC that is a system SPROC. That would require screening of the $SPROC variable.

Whitelist. Make a list of all the acceptable values of $SPROC, and don't execute anything that's not on the list. In information security, it is always far, far better to use a whitelist than a blacklist. Anything not expressly allowed is automatically verboten. Don't put anything on the list that doesn't actually need to be there.

Plus do what bart suggests above, with the placeholders. I was going to say that, but he beat me to it. It's good advice.

We're working on a six-year set of freely redistributable Vacation Bible School materials.
  • Comment on Re: Preventing malicious T-SQL injection attacks

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603199]
[Corion]: I have Thursday and Friday off, so then I might get to converting the rough outlines to more articles ;)
[Corion]: But currently, most of the modules are web-related and I don't like to publish two web articles in a row
[Corion]: Maybe I should do the Filter::Simple release on the next weeked - this would give me one more article to milk from this theme

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (6)
As of 2017-04-24 08:57 GMT
Find Nodes?
    Voting Booth?
    I'm a fool:

    Results (437 votes). Check out past polls.