Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database.
This can be accomplished in a variety of programming languages including Java, .NET, PHP, and more.
Please consult the following resources for implementing parameterized database queries and preventing SQL Injection in your code base:
Additionally, developers, system administrators, and database administrators can take further steps to minimize attacks or the impact of successful attacks:
- Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors.
- Utilize the principle of least privilege(link is external) when provisioning accounts used to connect to the SQL database. For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site's database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges. In many cases, these privileges can be managed using appropriate database roles for accounts. Never allow your web application to connect to the database with Administrator privileges (the "sa" account on Microsoft SQL Server, for instance).
- Do not use shared database accounts between different web sites or applications.
Validate user-supplied input for expected data types, including input fields like drop-down menus or radio buttons, not just fields that allow users to type in input.
Configure proper error reporting and handling on the web server and in the code so that database error messages are never sent to the client web browser. Attackers can leverage technical details in verbose error messages to adjust their queries for successful exploitation.
