You are developing an application that interacts with a SQL database, and you need to defend against SQL injection attacks.
SQL injection attacks are most common in web applications that use a
database to store data, but they can occur anywhere that a SQL
command string is constructed from any type of input from a user.
Specifically, a SQL injection attack is mounted by inserting
characters into the command string that creates a compound command in
a single string. For example, suppose a query string is created with
WHERE clause that is constructed from user
input. A proper command might be:
SELECT * FROM people WHERE first_name="frank";
If the value “frank” comes directly
from user input and is not properly validated, an attacker could
include a closing double quote and a semicolon that would complete
SELECT command and allow the attacker to
append additional commands. For example:
SELECT * FROM people WHERE first_name="frank"; DROP TABLE people;
Obviously, the best way to avoid SQL injection attacks is to not create SQL command strings that include any user input. In some small number of applications, this may be feasible, but more frequently it is not. Avoid including user input in SQL commands as much as you can, but where it cannot be avoided, you should escape dangerous characters.
SQL injection attacks are really just general input validation problems. Unfortunately, there is no perfect solution to preventing ...