How to prevent SQL Injection attacks
In the previous articles we’ve talked about SQL injection and dynamic SQL but we lacked an answer on how to prevent SQL injection attacks. Today we’ll do exactly that and show you one possible approach to how to do it. We’ll also mention other possible threats and approaches you could take.
In this article, we won’t focus so much on data, but rather on the code we could use to prevent SQL injection attacks. This code could be easily modified to fit your needs, or you could add some checks in case we missed some of them.
I first want to talk about threats and measures you can take and that are not related only to SQL injection. Let’s list them down:
We talked about SQL injection in this article, so we won’t spend additional time explaining it here. Before moving to the heart of this article, I’ll mention IT/SQL-related measures and approaches you could use to prevent SQL injection attacks. I’ll list them starting with mostly SQL-related and ending with these that are “evergreen” in IT.
Our approach shall be based on using SQL Server dynamic SQL, user-defined functions, and stored procedures. We’ll also test only values that are passed as textual values. We won’t implement checks to confirm if the input string is email or zip code value.
