The only way to prevent these attacks is at the level of programming. If it is well done, they are normally allowed. So ... what are the rules of programming
to take into account?
- First, avoid using an account with all the powers necessary to execute your sql server if possible.
- Remove features you do not like : master .. xp_cmdshell, and in general all those starting with "master .. xp".
- Check user input such as text fields. Also make sure the numbers are expected with many numbers as a function IsNumeric () for example.
- Check the settings of URLs that are added.
- Use the characters and functions such as exhaust addslashes () in PHP (even the characteristics of the function) and in general the documentation of your web programming languages for more info. This will prevent such user input of the character 'in escaping with a slash its predecessor.
- You can also prevent a general sequence of entries some users such as ";", "insert", "select", "/ /", "-" and so on.
- Attention to limit the number of characters that a user can enter a text field, as this may well complicate her task.
- Finally, careful what you put in cookies, as a password (even encrypt in md5) is quickly circumvented by an attack of this type. And thereafter the replacement of this value in the cookie to the attacker avoids an attack type brute force, so it is a nice gift.
Bookmarks