O'Reilly logo

SQL Injection Defenses by Martin Nystrom

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Conclusion and Bottom Line

SQL injection attacks are a growing criminal threat to your web applications, especially those that access sensitive data. Where are the best places to invest your resources? Some techniques, such as secure coding, are wise practices that benefit your application in related ways, such as improved performance and readability. Other defenses require much greater investment in deployment and support and should be used only on the most important or sensitive applications. With that in mind, here are the two most important things you can do to protect your applications from SQL injection attacks:

Code defensively

It's long been argued that fixing bugs during development is far more effective than fixing them in later phases, and the same holds true here. Spend time educating your developers on basic security practices. The time you spend up-front will be far less than you would spend cleaning up the mess if the vulnerabilities make their way into production.

The single most useful SQL injection defense is to use prepared statements anywhere you're passing input from the user to the database. It's also a good idea to pass user input through regular expressions, throwing out potentially dangerous input before sending it to any backend resource such as a database, command line, or web service. To complete the defense, don't make the hacker's job easy by spelling out SQL details in your error messages.

Monitor your most important applications

It's wise to have security ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required