Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re: Preventing malicious T-SQL injection attacks

by jonadab (Parson)
on Mar 05, 2007 at 12:35 UTC ( #603199=note: print w/ replies, xml ) Need Help??


in reply to Preventing malicious T-SQL injection attacks

I guess that it might be an idea to limit the SPROCs that can be called. It might be an idea to make it impossible to activate any SPROC that is a system SPROC. That would require screening of the $SPROC variable.

Whitelist. Make a list of all the acceptable values of $SPROC, and don't execute anything that's not on the list. In information security, it is always far, far better to use a whitelist than a blacklist. Anything not expressly allowed is automatically verboten. Don't put anything on the list that doesn't actually need to be there.

Plus do what bart suggests above, with the placeholders. I was going to say that, but he beat me to it. It's good advice.

-- 
We're working on a six-year set of freely redistributable Vacation Bible School materials.


Comment on Re: Preventing malicious T-SQL injection attacks

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603199]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (12)
As of 2015-07-07 22:38 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (93 votes), past polls