SQL injection Attack

[incrediblehelp]

Recently one of my client websites was attacked using SQL injection. What is the best way to avoid such attacks going forward? Their database guy is handling this. I am just curious on my side.

[Dubbya]

We sanitize data that's to be saved to the DB by disallowing or stripping illegal characters that only a hacker might use to inject code through string manipulation or form submissions.

Regular expressions (regEX) are perfect for this job. We use an include file with a VB Script function and call it prior to saving data. It's server side, so there's little chance of it failing but it's a little slow and frustrating for the user if you're bouncing data back and forth to the browser.

Of course, we generally have a JavaScript validation routine in place anyway, so that helps.

Additionally, your client might want to use another script, or get one written, that'll check the data that's already stored in the DB for signs of SQL injection or cross site scripting attacks.

Here's a great article that describes some of the data strings to look out for:
Detection of SQL Injection and Cross-site Scripting Attacks

[incrediblehelp]

Thanks for the feedback Dubbya. Always helpful.