If you are using dynamically built queries, then employ the following techniques:
- Delimit single quotes by
replacing any instance of a single quote with two single quotes which
prevents the attacker from changing the SQL command. Using the example
from above, "SELECT * from Users WHERE login = ''' or ''1''=''1' AND
password = ''' or ''1''=''1'" has a different result than "SELECT
* from Users WHERE login = '' or '1'='1' AND
password = '' or '1'='1'".
- Remove hyphens from user
input to prevent the attacker from constructing a query similar to: SELECT
* from Users WHERE login = 'mas' -- AND
password ='' that would result in the second half of the query being
commented out and ignored. This would allow an attacker that knows a valid
user login to gain access without knowing the user's password.
- Limit the database permissions granted to the user
account under which the query will be executing. Use different user
accounts for selecting, inserting, updating, and deleting data. By
separating the actions that can be performed by different accounts you
eliminate the possibility that an insert, update, or delete statement
could be executed in place of a select statement or vice versa.
