SQL injection attacks are a growing criminal threat to your web applications, especially those that access sensitive data. Where are the best places to invest your resources? Some techniques, such as secure coding, are wise practices that benefit your application in related ways, such as improved performance and readability. Other defenses require much greater investment in deployment and support and should be used only on the most important or sensitive applications. With that in mind, here are the two most important things you can do to protect your applications from SQL injection attacks:
It's long been argued that fixing bugs during development is far more effective than fixing them in later phases, and the same holds true here. Spend time educating your developers on basic security practices. The time you spend up-front will be far less than you would spend cleaning up the mess if the vulnerabilities make their way into production.
The single most useful SQL injection defense is to use prepared statements anywhere you're passing input from the user to the database. It's also a good idea to pass user input through regular expressions, throwing out potentially dangerous input before sending it to any backend resource such as a database, command line, or web service. To complete the defense, don't make the hacker's job easy by spelling out SQL details in your error messages.
It's wise to have security ...