Recent Posts

    Authors

    Published

    Tag Cloud

    PCI
    How are SQL Injection attacks prevented?

    SQL injection is a code injection technique, used to attack data driven applications like stSoftware.

    stSoftware systems support a number of web accessible protocols including:-

    • ReST
    • SOAP
    • Web Forms
    • GWT RPC 

    All protocols access the underlying data through the DAL ( data access layer). There is NO direct access to the underlying data store no matter which protocol is used. Each protocol accepts the request to read or write data and then perform the protocols validations and then passes the request on to the DAL to execute the request which in turn validates the request, checks the user's access and perform any validations before returning the result.

    SQL & XSS attacks are automatically tested for each of the supported protocols. Listed below are the standard SQL injection strings attempted.

    SQL Injection String
    "&amp;%00<!--\'';你好
    \';

    by:Nigel Leck - 14 Mar 2014