SQL injection and how to prevent it

Help Stop SQL Injection"Syringe2". Licensed under CC BY-SA 3.0 via Wikimedia Commons.

SQL injection can cause real harm if you don't take the necessary precautions to prevent it

What is it?

SQL injection is a vulnerability where a user can inject valid SQL code into a user input field to manipulate or attack a SQL database. Any SQL database that does not use certain security best practices is vulnerable.

SQL injection is one of the top website security vulnerabilities.

What can programmers do to combat this issue?

The only way to prevent the success of SQL injection attacks is to use SQL parameters. The practice of "blacklisting" certain words is not a good idea as many of these words are necessary as valid input in a text field.

Building queries with parameters in SQL is not particularily difficult, but does differ depending on which language you are coding in. You should look up syntax for specific languages for more detailed information.

In general, you will use a ? as a marker for the injectible input. You can then sanitize the input before injecting it. Thus removing the ability of a hacker to access the database with a string of executable code.

 
 

Let's do something EPIC!