GoFuckYourself.com - Adult Webmaster Forum - View Single Post - SQL Injection, what do you guys do, any experts avil?

design.guru.guy · 10-21-2008, 05:11 AM

the simplest of which is to not send dynamic data in the query string. Instead, just store them in session variables.

Another method is to create a middle layer between your web app source code and your database. Basically an XML webservice consumed by your main application. The webservice contains all your stored procedures and has methods you can call to get data and set data. All your application needs to know is how to interface with the web service, and the web service in turn handles opening, updating, and closing of database files. This is the proper enterprise solution used in system critical web applications in the financial industry.

Lasty, if you have no choice but to send data in the comand line, have your developer develop some bit shifting encryption algorithms and encrypt/decrypt the code as needed on each page load. That way all the end user ever sees is gobledegook, and would have to brute force strings of random characters to ever hurt your database.

If you would like to hire me as a consultant to help you fix your problem, e-mail me at my handle at g m a i l.

10-21-2008, 05:11 AM
design.guru.guy Confirmed User Join Date: Dec 2007 Posts: 107	there are several ways to beat sql injection the simplest of which is to not send dynamic data in the query string. Instead, just store them in session variables. Another method is to create a middle layer between your web app source code and your database. Basically an XML webservice consumed by your main application. The webservice contains all your stored procedures and has methods you can call to get data and set data. All your application needs to know is how to interface with the web service, and the web service in turn handles opening, updating, and closing of database files. This is the proper enterprise solution used in system critical web applications in the financial industry. Lasty, if you have no choice but to send data in the comand line, have your developer develop some bit shifting encryption algorithms and encrypt/decrypt the code as needed on each page load. That way all the end user ever sees is gobledegook, and would have to brute force strings of random characters to ever hurt your database. If you would like to hire me as a consultant to help you fix your problem, e-mail me at my handle at g m a i l.