Preventing SQL Injection in SQL Server

[Saint Nick]

Our security group uncovered a situation with a web application that I manage. Long story short, they performed penetration testing on our application and were able to see the contents of our table(s).

I fixed the application on the front end by only allowing certain data types within the query itself through the use of <cfqueryparam>.

However, what else should be done server side to prevent it aside from dealing with user/application IDs?

 

[Crusty]

SQL Injections are all about poorly written code and queries. If you follow good practices for sanitizing user input, using parametrized queries, and never constructing queries like "SELECT * FROM " + userInputTableName + " WHERE true;" then you won't have SQL injection problems.

Aside from that, having good backup strategies will help minimize the damage from an SQL injection attack if they manage to corrupt your database.

 

[boran]

and for the love of god,do not store passwords without a decent salt + hashing algorithm