Showing posts with label Sql-injection. Show all posts
Showing posts with label Sql-injection. Show all posts

Saturday, February 6, 2010

How to Avoid Sql-injection :-

Principle

Implementation

Never trust user input

Validate all textbox entries using validation controls, regular expressions, code, and so on

Never use dynamic SQL

Use parameterized SQL or stored procedures

Never connect to a database using an admin-level account

Use a limited access account to connect to the database

Don't store secrets in plain text

Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings

Exceptions should divulge minimal information

Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false