Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

A.R.M. Yourself Against SQL Injection

To effectively protect your web application from SQL injection attack, you must ARM yourself. That is, when writing applications, be sure to validate all input strings. There are three, and only three, options when given a piece of data:
  • Accept it
  • Reject it
  • Modify it
It might seem obvious that all input must be validated. Too often, webmasters and programmers are focused on getting a working application under time pressure and may not implement the best security practices.

So what does it mean to ARM yourself? Well, one good step is to use the string cleansing functions of your programming language. Also, if a field is supposed to be a number then explictly convert it from a string to number.

I originally talked about this at the ACMSE-2006 conference in May. I will have to write up some more on the topic at a later date.

About Frank Rietta

Frank Rietta's photo

Frank Rietta is specialized in working with startups, new Internet businesses, and in developing with the Ruby on Rails platform to build scalable businesses. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.