Beyond stored procedures: ‘defense-in-depth’ against SQL injection
A few years ago, mentioning the phrase ‘SQL Injection’ to developers or asking to adopt a ‘defense-in-depth’ strategy would probably get you a blank stare for a reply. These days, more people have heard of SQL Injection attacks and are aware of the potential danger these attacks present, but most developers’ knowledge of how to prevent SQL Injection is still inadequate, and when asked how to defend their applications against SQL Injection, they usually reply, “That’s easy, just use stored procedures.” As we will see, using stored procedures is a great first step for your defense strategy, but is not sufficient as the only step. You need to adopt a defense-in-depth strategy. Read this article as a PDF: click here
•Date: 21st July 2006 • Region: US/World • Type: Article •Topic: ISM |
