Register

Forgot Password

Site FAQ

Home > IT Answers > Development > Limiting SQL injection in SQL Server 2005

SQL Server Ask the Experts

2,585 pts.

Limiting SQL injection in SQL Server 2005

ASP, SQL injection, SQL Server 2005

I have a site in ASP and on the back-end in SQL Server 2005, but I keep finding SQL injection on my site. Is there code that will prevent SQL injection from getting onto my site?

Software/Hardware used:

ASKED: September 9, 2008 7:39 PM

UPDATED: March 26, 2012 4:20 PM

RELATED QUESTIONS

Answer Wiki:

Check your input always! Make sure the input is not garbage and it is what is expected. Remember <b>GIGO</b>! See these articles: <a href="http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx">CodeProject</a> <a href="http://www.wwwcoder.com/main/parentid/258/site/2966/68/default.aspx">WWWCoder</a> <a href="http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci884696,00.html">SearchSecurity</a> If you have never heard of <a href="http://www.4guysfromrolla.com/webtech/061902-1.shtml">4GuysFromRolla</a>... then be sure to spend some time on their site. Here is an article on securing your system from<a href="http://searchsqlserver.techtarget.com/tip/0,289483,sid87_gci1318837,00.html"> SQL injection</a>. The basic jist of all these articles will be that you need to verify the input prior to the data getting into the database. Once the values are into the database the SQL Server can't do much to make sure that the data is valid. It needs to be validated before the data gets into the database. The article above on SearchSQLServer.com shows some sample .NET code on how to prevent the bad code from getting into your database.

Check your input always! Make sure the input is not garbage and it is what is expected. Remember <b>GIGO</b>! See these articles:

<a href="http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx">CodeProject</a>
<a href="http://www.wwwcoder.com/main/parentid/258/site/2966/68/default.aspx">WWWCoder</a>
<a href="http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci884696,00.html">SearchSecurity</a>
If you have never heard of <a href="http://www.4guysfromrolla.com/webtech/061902-1.shtml">4GuysFromRolla</a>... then be sure to spend some time on their site.

Here is an article on securing your system from<a href="http://searchsqlserver.techtarget.com/tip/0,289483,sid87_gci1318837,00.html"> SQL injection</a>.

The basic jist of all these articles will be that you need to verify the input prior to the data getting into the database.  Once the values are into the database the SQL Server can't do much to make sure that the data is valid.  It needs to be validated before the data gets into the database.  The article above on SearchSQLServer.com shows some sample .NET code on how to prevent the bad code from getting into your database.

Last Wiki Answer Submitted: September 10, 2008 3:25 am by Labnuke99

32,735 pts.

All Answer Wiki Contributors: Labnuke99

32,735 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Sep 10, 2008 3:26 AM (GMT)

Check out my SQL Server blog “SQL Server with Mr Denny” for more SQL Server information.

Denny Cherry

64,550 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags