"be consistent" | |
PerlMonks |
Re: Preventing malicious T-SQL injection attacksby jonadab (Parson) |
on Mar 05, 2007 at 12:35 UTC ( [id://603199]=note: print w/replies, xml ) | Need Help?? |
I guess that it might be an idea to limit the SPROCs that can be called. It might be an idea to make it impossible to activate any SPROC that is a system SPROC. That would require screening of the $SPROC variable. Whitelist. Make a list of all the acceptable values of $SPROC, and don't execute anything that's not on the list. In information security, it is always far, far better to use a whitelist than a blacklist. Anything not expressly allowed is automatically verboten. Don't put anything on the list that doesn't actually need to be there. Plus do what bart suggests above, with the placeholders. I was going to say that, but he beat me to it. It's good advice. --
We're working on a six-year set of freely redistributable Vacation Bible School materials.
In Section
Seekers of Perl Wisdom
|
|