Results 1 to 2 of 2

Thread: Searching a database, avoiding injection attacks

  1. #1
    Junior Member
    Join Date
    Jun 2007
    Answers
    1

    Searching a database, avoiding injection attacks

    Im modifying my work's website and I need some advice. I'm trying to figure out how I can avoid injection attacks, while still accepting valid input.

    An example is: if a user types an apostrophe (don't), it checks for the apostrophe and then converts it to empty (dont). So if an article that is being searched for really has "don't" in it, the search list will not display it, because it converted the word to "dont".

    I thought of a solution but dont know if it will work entirely.

    if (rd.SearchString.Contains("don't") & repeat for all words with apostrophes))
    {
    goto Label;
    }
    rd.SearchString.Replace("'", ""); //this is the injection attack blocker
    Label:
    //apply results and get the list


    My thoughts are, if a user is really putting in a valid word with an apostrophe in it, then it should avoid the injection attack blocker.


  2. #2
    Administrator
    Join Date
    May 2006
    Answers
    331

    Re: Searching a database, avoiding injection attacks

    Mark,

    Are you using embed sql or stored procedures.. ?

    Here are few tips...

    make sure that database account has least privileges , usually, you don't seed more then insert , update .. if you need to delete a record , have a flag in the table that says deleted or not , use this delete flag in sql query to eliminate records ...

    make sure you validate data depending on the data types and the length of the fields ....

    always use stored procedures .. no embedded sql make sure you validate the input again in the stored procedure

    when there is an error .. make sure you have custom error class that returns least and friendly information . .exception handling and error handling is important in this ...

    make sure you ask your team mate to do code review for you.. no need feel shy or insecure to ask ... since it's very important that the application you build is secure ... no one is going to say anything about your ability and skills .. this is from my 20 years of experience since I always do that even being as application manager today .. in my case it will be project management and application functionality before the approval

    Thanks,

    Last edited by admin; 06-18-2007 at 08:23 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
About us
Applying for a job can be a stressful and frustrating experience, especially for someone who has never done it before. Considering that you are competing for the position with a at least a dozen other applicants, it is imperative that you thoroughly prepare for the job interview, in order to stand a good chance of getting hired. That's where GeekInterview can help.
Interact