Comments on [security through absurdity]: Security Vulnerability of the Week(?) #1: SQL Inje...

I couldn't believe it when I looked up my house on...

2009-05-08T10:18:00.000-04:00

I couldn't believe it when I looked up my house on my county's appraisal web site, accidentally put a ' at the end... and watched it spew out an error showing an entire SQL script, table names, etc. Tax dollars at work, for sure!

Use parameters with prepared statements/LINQ or us...

2009-03-05T14:08:00.000-05:00

Use parameters with prepared statements/LINQ or use stored procs, never use inline SQL
Use only permissions that are needed, certainly not DBO

Paul, I think the point of the article is that YES...

2009-03-03T17:11:00.000-05:00

Paul,
I think the point of the article is that YES the solution is easy yet for the various reasons above it still doesn't get done right. Try dealing with #4 in particular, it's fan-effing-tastic.
-Louie

No only does using the proper libraries (e.g. SqlC...

2009-03-03T16:36:00.000-05:00

No only does using the proper libraries (e.g. SqlCommand with parameters) keep you safe from SQL injection but they also handle date and number formate locale differences :)

[)amien

My philosophy for server-code is that ALL clients ...

2009-03-03T12:42:00.000-05:00

My philosophy for server-code is that ALL clients are either stupid or malicious. Whether they're people on the other side of a browser or client-code that I wrote myself. From that perspective, the server MUST validate all input.

For SQL injection, though, a simple solution is to not build dynamic SQL like that. Use tools and libraries and patterns that don't allow for such simple attacks.