SQL Injection

Things to consider to avoid SQL Injection:

1. Have a function which vets the inputs from your forms :

 ex: "select", "drop", ";" , "--", "insert", "delete", "xp_" 

2. Escape single quotes with two single quotes

ex: d'souza should be d''souza.

3. Set  size for number of characters text box can accept. Thus limiting the amount of untoward values that can be input

4. Do not use sa account for application related queries. Create a separate account with limited privleges. ex: if you need user to only view reports, create user account which has only 'SELECT' permissions.

Comments

Post a Comment

Popular posts from this blog

Drupal - How to display webform node in a block?

While building a site in Drupal 6.x, I had a requirement to display a contact us form box in all the pages of the site - except, on the Main Contact Us Form page(ofcourse, you wouldnt want and extra contact us box sticking!). I started by creating a new content type using the WebForm module. I added fields like firstname, lastname, emailaddress, company url and message and saved it. After this, I tried to figure out a way to add the form to a block. The idea was to stick the form in a block and place it on a content region and configure it to show on all pages except admin pages. But, I was stuck on how to display the webform node in a block. One idea was to use the NodeToBlock module. I had a feeling that there could be an easier way to implement this and went back to the webform page and dug up all the options in the webform form and hey presto! buried at the bottom of the settings was a check box 'Available as block'. I checked this and a block was created for this f
Read more

Error when Installing SQL Server 2008 R2 Management Studio

Yesterday, I downloaded and tried installing the 64bit version of the Sql Express Mangement Studio, but I received the below error message   Another version of Microsoft Visual Studio 2008 has been detected on this system that must be updated to SP1. Please update all Visual Studio 2008 installations to SP1 level, by visiting Microsoft Update This message was particularly baffling since my laptop was a new build and I had installed VS 2010 only. On further investigation I found that one of the software installation that I did had installed VS 2008 components. The Add Remove programs in Control panel wasn't helpful. I used the VS2008 uninstall tool from microsoft site http://go.microsoft.com/fwlink/?LinkId=105801 This removed the VS2008 instance completely. I reran the setup for Management Studio and all worked well. To do it manually try http://blogs.msdn.com/b/joy/archive/2008/10/21/how-to-remove-visual-studio-2008-manually.aspx Hope it works out for you..
Read more

Technical Team Lead Interview Questions

Following are some of the questions which can be asked for a technical team lead interview: a. if you have a non performing developer in your team, how will you deal with them (Question relates to Motivation)? b. Have you ever had a project, that you were working on was in danger of missing the deadline and were you able to bring it back to schedule? if so how? c. Have you ever been part of recruiting members of the team? d. What document will you give to your developer when developing a requirement. State the details that will be included the document. e. What are your strengths and weaknesses? f. if we ask your team, what will your colleagues describe as your strengths and weaknesses.
Read more