Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve seen a few attempted SQL injection attacks on one of my web sites. It comes in the form of a query string that includes the ‘cast’ keyword and a bunch of hex characters which when ‘decoded’ are an injection of banner adverts into the DB.
My solution is to scan the full URL (and params) and search for the presence of ‘cast(0x’ and if it’s there to redirect to a static page.
How do you check your URL’s for SQL Injection attacks?
I think it depends on what level you’re looking to check/prevent SQL Injection at.
At the top level, you can use URLScan or some Apache Mods/Filters (somebody help me out here) to check the incoming URLs to the web server itself and immediately drop/ignore requests that match a certain pattern.
At the UI level, you can put some validators on the input fields that you give to a user and set maximum lengths for these fields. You can also white list certain values/patterns as needed.
At the code level, you can use parametrized queries, as mentioned above, to make sure that string inputs go in as purely string inputs and don’t attempt to execute T-SQL/PL-SQL commands.
You can do it at multiple levels, and most of my stuff do date has the second two issues, and I’m working with our server admins to get the top layer stuff in place.
Is that more along the lines of what you want to know?