Fix that injection, please

  1. All database interaction must be abstracted through stored procedures. 
  2. No stored procedure should have dynamic SQL unless there is no other option. 
  3. Applications should have no access to table or view objects unless required by dynamic SQL, which is allowed under rule #2. 
  4. All database calls should be parameterized instead of being inline dynamic SQL. 
  5. No user input should be trusted and thought of as safe; all user interactions are suspect. 
An excerpt from chapter nine of Securing SQL Server, author Denny Cherry, that might be of use in case you are trating with trasnsactional database (propiertary o not). Because of design, means architecture and understanding.

Via TechTarget
Newer Post Older Post Home