Friday, January 25, 2008

SQL attacks - the lethal injection

Hi there,

Let everybody know the two very simple golden rules when it comes to web-applications that are communicating with SQL servers:

1. Never send user input text strings directly to the (backend) SQL server(s). Make sure to "clean it up" first (eg. no special chars etc.). Only accept thing you KNOW you want.

2. Always use Stored Procedures and call them with arguments instead of letting text strings (SQL injections) take control of your (backend) SQL server(s).

Sticking to those rules will make life a lot easier for admins, consultant and security guys like me. Tell you company developers, thirds party software vendors etc. to stick to the rules (even though they should know them by heart already) - spread the word and life will be a lot easier for all of us good people around the globe :)