Jul 9, 2015

Tips to Prevent SQL Injection Attacks

  1. Implement strong server side validation for all user inputs including cookie values.
  2. Escape or filter the special characters in user inputs.
  3. Use store procedures whenever possible.
  4. Use parameterized queries or ORM.
  5. Avoid building SQL statements either in a class file or inside a procedure.
  6. Avoid using exec command in SQL Server.
  7. Avoid using sa account to connect database from the application.
  8. Use low privileged account to execute queries.
  9. Configure generic error page for the application and don’t display error information to user.
  10. Catch all possible exceptions, implement global exception handler.

No comments:

Post a Comment