- Implement strong server side validation for all user inputs including cookie values.
- Escape or filter the special characters in user inputs.
- Use store procedures whenever possible.
- Use parameterized queries or ORM.
- Avoid building SQL statements either in a class file or inside a procedure.
- Avoid using exec command in SQL Server.
- Avoid using sa account to connect database from the application.
- Use low privileged account to execute queries.
- Configure generic error page for the application and don’t display error information to user.
- Catch all possible exceptions, implement global exception handler.
--Vamsi Effective Blogs "Make everything as simple as possible but not simpler"--
Jul 9, 2015
Tips to Prevent SQL Injection Attacks
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment