MENU
Injection Attacks
By submitting carefully devised input to a poorly designed system, an attacker can trick a server script into executing SQL commands that are not allowed for a client. An open-sourced software package may be especially vulnerable to SQL injection, because the database architecture is publicly open. Never trust any form of input, even if it originates from a select box, a hidden input field, or a cookie.To prevent injection attacks, a web developer should properly validate all input from the client. Prepared statements with paramerized queries are very effective in this regard, because they compile all runnable parts of a query beforehand, and accept the input as simple data that cannot be executed. Prepared statements also increase the computational efficiency of repeated SQL commands, as they need not be parsed multiple times.
Additionally, privileges can be limited for casual visitors.