SQL Injection
SQL Injection is done by tricking the database by giving a valid condition to any SQL query on a table. It may be creatively done in many ways. More than 50% of the hacking attacks are done through SQL injection.
PREVENTION:
Use SQL filters to avoid "LIKE", single or double quotes, baclslashes, colons and special characters in SQL query.
Maintain previleges and strict user control over the database by creating lot of views/schemas for each operations.
Use ORACLE's dynamic query escaper - ESAPI
No comments:
Post a Comment