http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsqlmag04/html/injectionprotection.asp
Prevent SQL Injection Attack Michael Otey All relational databases - including SQL Server, Oracle, IBM DB2, and MySQL are easily subjected to SQL injection attacks. You can purchase some products to protect your system from SQL injection attacks, but in most business, prevent SQL injections must be based on code level. SQL injection attack primarily from the web application converts the user's input to the input of the dynamic SQL code to the SQL command to execute it. You can use the following four important steps to protect your web application from attacks. In addition, the last month I emphasized MSDN mode and training also proposed some suggestions for protecting the database-driven web application. 4. Minimal power law The account that the application to connect to the database should only have the necessary privileges, which helps protect the entire system harmful to intruders as possible. Applications should not connect to the database with a SA or administrator account. Alternatively, it should only have the power to access the single library it want to call. 3. Verify that all inputs If a input box may only include numbers, then verify that the user enters all numbers. If you can accept letters, you have to check that there is an unacceptable character. Make sure your app is to check the following characters: semicolons, equal sign, dash, parentheses, and SQL keywords. .NET Framework provides a regular expression to perform complex pattern matching, which can achieve good results. It is also a good idea to limit the length of the characters entered by the user. Verifying the user input is necessary, because the intruder can use the web's openness to attack the application for SQL injection attacks. 2. Avoid dynamic SQL statements dynamic SQL statements are a powerful tool for database queries, but mixing it with user inputs to make SQL injection. The dynamic SQL statement replaces the precompiled SQL or the stored procedure is feasible to most applications. The precompiled SQL or stored procedure can receive the user's input as a parameter instead of the SQL command, which limits the invader's actions. Of course, it does not apply to your stored procedure to use user input to generate SQL commands. In this case, the SQL command entered by the user may still be executed, and your database still has a risk of attacking the SQL injection. 1. Use Double quotes to replace all users entered single quotes, this simple precaution will prevent SQL injection attacks on a large program, and single quotes often end the SQL statement, which may give an unnecessary power of the input. . Replace the single quotes with a double quotes to make many SQL injection attacks fail.