Preventing SQL injection attacks

SQL injection attacks might occur when dynamic SQL statements are constructed from user input and the input is inadequately checked. You can use several techniques to prevent or reduce SQL injection attacks.

Procedure

To eliminate or reduce the risk of SQL injection attacks:

  • Avoid dynamic SQL, whenever possible.
  • Use pureQuery® or SQLJ rather than JDBC for Java™.
  • Use system security techniques, such as views and access control mechanisms, whenever possible.

    Understand the limitations of security within an application. System security can use security and integrity mechanisms that are not available to application programs. The level of assurance that can be provided in system security can be much higher. If the applications are run on the client or have fewer protection layers and firewalls than the database, make sure to address those limitations.

  • Use row permissions and column masks to protect data even if the statement is compromised by SQL injection attacks.
  • Put input data into host variables with just the value or use a parameter marker in dynamic SQL.
  • Make sure to check all input:
    • Check that the input is the intended data type and format. This is generally required for all programs to ensure that they work properly but especially crucial for data intended as part of an SQL statement.
    • Accept numbers for a numeric comparison only.
    • Do not allow special characters if they do not apply.