Code-Level Defenses

This chapter navigates through several large areas of secure coding behavior as it relates to SQL injection. It discusses alternatives to dynamic string building when utilizing SQL in an application. The chapter then describes different strategies regarding validation of input received from the user, and potentially from elsewhere. As a more secure alternative to dynamic string building, most modern programming languages and database access application program interfaces (APIs) allows one to provide parameters to an SQL query through the use of placeholders, or bind variables, instead of working directly with the user input. One of the most powerful controls one can use to prevent SQL injection is validation of the input that an application receives. Input validation is the process of testing input received by the application for compliance against a standard defined within the application. It can be as simple as strictly typing a parameter and as complex as using regular expressions or business logic to validate input. There are two different types of input validation approaches: whitelist validation (sometimes referred to as inclusion or positive validation) and blacklist validation (sometimes known as exclusion or negative validation).