SQL Injection detection

G

GMartin

Besides parameterizing SQL or using Stored Procedures, is there any
reliable way to test if a string has an SQL Injection attack. ...For
example, can one use the same method ADO uses when examining
parameters to detect SQL Injection?
 
C

Cowboy \(Gregory A. Beamer\)

You can run regex, but you have to be careful that the things you are
looking for. Generally things like:

' or userName is not null --

You can find the patterns, but what if the pattern is legal in a string? You
then throw out things that are valid. Better to parameterize.

--
Gregory A. Beamer
MVP, MCP: +I, SE, SD, DBA

*************************************************
| Think outside the box!
|
*************************************************
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How can I create an innocuous SQL injection attempt to test apps and evaluate the result programmati 7
Help SQL Injection Attack Question - newbie to web security 10
SQL Injection Attacks 4
Avoiding SQL Injection with FormView controls 7
Full Text Search query without stored procedure 2
date validation 1
sql injection prevention 1
How do I pass an array of varying types to a function? 9

Top