How can I avoid SQL injection attacks?

The proper way to avoid SQL Injection attacks is NOT to simply disallow certain problematic characters, but rather to use parameterized SQL. In short, parameterized SQL prevents the database from executing raw user input as part of the SQL command this prevents user input like "drop table" from being executed. Just escaping characters does not stop all forms of SQL injection attacks and excluding certain words such as "Drop" does not work in all cases; there can be certain fields where "Drop" is a perfectly valid part of the data entry.

You can find some good articles on the subject of paramaterized SQL here:

https://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/

http://www.codeproject.com/KB/database/ParameterizingAdHocSQL.aspx

Now that you mentioned that you are working with ASP.net I can give you some links that deal specifically with SQL Injection in ASP.

https://dzone.com/articles/aspnet-preventing-sql-injectio https://www.c-sharpcorner.com/UploadFile/75a48f/how-sql-injection-can-be-possible-in-asp-net-websites/

Here is a more general article on making your ASP more secure: http://www.codeproject.com/KB/web-security/Securing_ASP_NET_Apps.aspx

And, of course the MSDN article on SQL injection: http://msdn.microsoft.com/en-us/library/ms998271.aspx


There's nothing "dangerous" about inserting a string containing -- in a database.

It is dangerous to insert anything in a database table that comes directly from user input without processing it, otherwise you leave yourself open to SQL injection attacks. Example: A coder lets the user type in their name in a field, and the user types:

Joe '); drop table users; commit transaction; --

and then the coder puts that in their MySQL database like so:

conn.execute("insert into users (username) values ('" + userInput + "')");

Boom The user has deleted the users table (assuming the database login had rights to do that, which it shouldn't -- but that's a different topic), because the coder didn't ensure that the string from the user was escaped correctly, and so it got sent directly to the DB engine and the attacker has a good laugh. :-)

Use whatever tools your environment provides to ensure that strings are escaped correctly. For instance, JDBC uses the PreparedStatement class for this. Most environments will have something similar.


SQL injection is a high security risk for most websites that allow users to squirt parameters into a statement that gets executed on a database.

A simple example would be:

Input field "Name: _________

"SELECT * FROM tblCustomer WHERE Name = '" + nameInputField + "'"

So if I type in "Bob" we have

"SELECT * FROM tblCustomer WHERE Name = 'Bob'"

But if I type in "'; DROP TABLE tblCustomer", we end up with the rather more sinister

"SELECT * FROM tblCustomer WHERE Name = ''; DROP TABLE tblCustomer"

There are lots of ways to avoid these problems, and many are built into whatever language you are using - so rather than think of all the dodgy possibilities ";", "--", "/*" etc, try and use something that already exists.

Shout out what language you're using and I'm sure we can tell you how to avoid these attacks.


He was talking about SQL Injection attacks, as is quite right in what he said.

The problem is not with such data existing in the database, but in passing input data directly to the database without sanitizing it.

Without cleaning it up, if someone passes in a string ending with a ; they can then follow it with anything they want (select * from sys.objects, for example) or something more malicious, like dropping some tables.

It is difficult to guard against fully, but if you use a good DB library from your code and follow known practices, such as using paremeterized queries you limit the possible damage.

Store as many -- in your database as you want, but do not pass that through to your database without going through a cleanup process (this is where a good DB library is vital - it should cleanup quotes and other potentially harmful input).