SQL injection attacks might occur when dynamic SQL statements
are constructed from user input and the input is inadequately checked.
You can use several techniques to prevent or reduce SQL injection
attacks.
Procedure
To eliminate or reduce the risk of SQL injection attacks:
- Avoid dynamic SQL, whenever possible.
- Use pureQuery® or SQLJ rather than JDBC for Java.
- Use system security techniques, such as views and access
control mechanisms, whenever possible.
Understand the
limitations of security within an application. System security can
use security and integrity mechanisms that are not available to application
programs. The level of assurance that can be provided in system security
can be much higher. If the applications are run on the client or have
fewer protection layers and firewalls than the database, make sure
to address those limitations.
- Use row permissions and column masks to protect data even
if the statement is compromised by SQL injection attacks.
- Put input data into host variables with just the value
or use a parameter marker in dynamic SQL.
- Make sure to check all input:
- Check that the input is the intended data type and format.
This is generally required for all programs to ensure that they work
properly but especially crucial for data intended as part of an SQL
statement.
- Accept numbers for a numeric comparison only.
- Do not allow special characters if they do not apply.
