Q:   How I can handle SQL injection in all over application by using query??

Kevin Kline says:   It’s funny that you mention this since Microsoft UK just had a very public SQL Injection attack on their website. It’s reported on TechWorld here.

In essence, a SQL Injection attack is where a programmer has written a web page that exposes a SQL query to the internet. For example, you might write a query that allows the end user of a web page to enter the name of product that they want to find on the web site. However, the web site is now vulnerable to attack because the programmer placed no string checking onto the values returned by the web page, which some malicious person could, instead of putting the name of product into the open field, substitute something like ‘DELETE FROM products’.

SQL Injections is a broad and complex topic though. So you’d best read what the experts have written. I like what NGS Software puts out, such as this white paper.

I also really like Chip Jones’ website called SQL Security.com, which has extensive information on SQL Injection attacks and defenses. It also has a really good utility available for free called LOCKDOWN.SQL.

Technorati Tags:
SQL injection attack, database security, database vulnerabilities, NGS Software, Chip Jones, www.sqlsecurity.com, LOCKDOWN.SQL
Add to: | Technorati | Digg | del.icio.us | Yahoo | reddit |