[thelist] SQL Update CORRECTION

Sarah Sweeney mr.sanders at designshift.com
Mon Jul 19 09:20:37 CDT 2004


Ken Schaefer wrote:
> If you think that doubling quotes will get you out of most injection
> attacks then you didn't read the links that I posted previously.
> 
> There are lots of good SQL Injection attack papers out there. Never
> make the mistake that you think you know the ways that an attacker can
> break into your application, especially when you're not in the
> professional security business.
> 
> Explicitly choosing to /allow/ things rather than attempting to work
> out what to disallow is the correct way of handling things. For any
> new development, I don't see how this takes any longer than trying to
> work out what to disallow.
> 
> Cheers
> Ken

For those of us who don't have time to read 38 pages on SQL injection 
techniques :) what do you suggest will prevent SQL injection attacks? 
Are you saying that doubling single quotes and checking for "allowed" 
values will do the trick, or are there other important preventive 
measures we should be taking?

Thanks,

Sarah

-- 
Sarah Sweeney
Web Developer & Programmer
Portfolio :: http://sarah.designshift.com
Blog, etc :: http://hardedge.ca


More information about the thelist mailing list