How to avoid SQL injection from my website?

**davikerkrish** · 07-10-2012, 06:48 AM

Recently i have planed to store the contact form details to Database. In that time i heard about SQL injection. How can i prevent SQL injection from my website. Is there any solution for this one? I am using asp.net and SQL server 2008R2.

**coder** · 07-10-2012, 09:06 AM

I actually had this issue years ago and found a simple solution that has effectively stopped all SQL injection attacks. In your code verify that any calls to your site/database are submitted from your own domain.

**kgun** · 07-10-2012, 10:03 AM

I assume that you use PHP, then upgrade to the last stable version and use (PDO data objects) Prepared statements:

Links

**davikerkrish** · 07-12-2012, 01:38 AM

No, I am using Dot net for developing my website. And i have used the CMS (DNN) for developing my website.

**DaveSawers** · 07-12-2012, 05:20 AM

Originally Posted by coder

I actually had this issue years ago and found a simple solution that has effectively stopped all SQL injection attacks. In your code verify that any calls to your site/database are submitted from your own domain.

Err. How does that work then?

A SQL injection attack uses a form field on your site to input escape characters and SQL commands. In a vulnerable site without data checking, the data from the form field is added into a SQL instruction and executed. It is therefore all executed from your own domain and thus the check you have implemented helps you not at all.

To prevent SQL injection attacks you need to look at all form field data that is going to be used in SQL instructions and make sure it doesn't contain unexpected characters or formations.

**TrafficProducer** · 07-12-2012, 12:48 PM

You may find some helpful information on my web site about SQL InjectionTips about preventing SQL Injection. Protect SQL from attackers. Protect SQL from attackers.

What is SQL Injection? It is a way to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. With SQL Injection, it is possible for us to send SQL quire that will carry out an undesired result. For example It could be likened to issuing a format *.* in DOS.

I believe Regular Expressions (Regex, regexp, RE, re) can help filter out some attacks

Thread: How to avoid SQL injection from my website?

Thread Tools

Display

How to avoid SQL injection from my website?

Tags for this Thread

Posting Permissions