There are several means to defend against SQL injection attacks. Some are reactive—detecting and even blocking the attacks in real time. Others are preventive—such as defensive coding and proactive assessment. This section discusses the various means of defending against SQL injection attacks.

Defense #1: Code Securely

Secure coding is the most effective defense against SQL injection attacks, and the techniques for defense are not difficult to employ. We will cover the two most effective techniques for making your application resistant to SQL injection: using prepared statements and filtering input to your SQL statements. These techniques can be used together, but prepared statements alone will save your bacon when it comes to SQL injection.

Educate your developers

Perhaps the most effective technique to prevent security flaws in your code is to help your developers avoid them as they develop the software. The truth is, good software development techniques often lend themselves to secure coding anyway. Simple techniques like input filtering can avoid both security flaws and unwanted crashes. Using precompiled statements (prepared statements) in database interactions protects from SQL injection and improves performance.

Secure coding classes are the single most effective tool for improving your chances of keeping security flaws at bay. To be effective, the classes should have the following characteristics:

  • Specific to the language in which the developers are working

  • Include a handful ...

Get SQL Injection Defenses now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.