Ask HN: What do you do to avoid SQL injection attacks?

[joubee]

I've been looking at SQL injection recently and was interested to know what other developers do to prevent these attacks.

Does anyone have anything to add? 1. Use dynamic SQL if and only if there is no other alternative

2. Escape user input always

3. Always assume magic quotes is off

4. Install security updates and patches regularly

5. Remove all the dead SQL's or other codes that you don't use

6. Never display the system defined error message for SQL errors

7. Store database credentials in a separate file

8. Use the principle of least privilege

9. Disable shells

10. Use SQL injection Hack tools to check vulnerabilities

[benologist]

Parameterized queries - gist of it is it stops you concatenating a bunch of your and their strings together to form your SQL statement.

[joubee]

codinghorror.com: Give me parameterized SQL, or give me death

http://www.codinghorror.com/blog/2005/04/give-me-parameteriz...

I have fairly strong feelings when it comes to the stored procedures versus dynamic SQL argument, but one thing is clear: you should never, ever use concatenated SQL strings in your applications. Give me parameterized SQL, or give me death. There are two good reasons you should never do this.

[I need to spend some time looking at this - tyvm benologist]

[jordhy]

Precisely. I use obfuscated store procedures.

[village88]

Agree with all the statements above. We use Active Record for CodeIgniter or ORM Datamapper and stay away from writing manual queries.

[ZephyrP]

I wrote my own database.

http://zv.github.com/artifact/

[AznHisoka]

I used Ruby activerecord and don't write manual queries.