How to prevent SQL Injection?
SQL Injection countermeasures include :
Input type checking – Since the essential problem is that the use introduces malformed input, the programmer filters out characters that can be abused, such as “,”. This is not trivial; recent work has considered the correctness of tools for sanitizing inputs and found that most exciting input sanitation tools contain errors.
Positive Pattern Matching – Check that the input matches the format of a good input.
Penetration Testing – Attempts SQL Injection attacks on the interface to verify that they are properly detected.
Static Code Checking – Use of code checking tools to verify program correctness.
Limit the amount of database access allowed to remote users – Make sure user inputs go through an API and that the user has limited rights on the database.
Avoid dynamic SQL use – Force user inputs to use a static template or bind their inputs to existing tables.