Answer I used to recommend multiple ways to help prevent SQL injection isnumeric checks, replacement for single quotes, etc but over time I have come to the. Common Attack Pattern Enumeration and Classification. Strong input validation All user controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single quote or SQL comments based on the context in which they appear. Use of parameterized queries or stored procedures Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails. ORDLs.png' alt='Sql Injection Tool' title='Sql Injection Tool' />Note that SQL Injection is possible even in the presence of stored procedures if the eventual query is constructed dynamically. Use of custom error pages Attackers can glean information about the nature of queries from descriptive error messages. Sql Injection Tool' title='Sql Injection Tool' />Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application. SQL Injection FAQ SQLSecurity Home. Answer SQL injection is usually caused by developers who use. SQL code. For example. VBScriptASP sample shown Set my. Recordset my. Connection. SELECT FROM my. Table WHERE some. Text request. The. SQL injection problem. We are trusting that user has not entered something. Lets. consider what would happen if a user entered the following text into the. ADD Then, when the query string is assembled and sent to SQL Server, the server will process the following code SELECT FROM my. Table WHERE some. Text exec master. ADD Notice. the first single quote entered by the user closed the string and SQL. Server eagerly executes the next SQL statements in the batch including a. If this. application were running as sa and the MSSQLSERVER service is running. Also note the use of the comment operator to. SQL Server to ignore the trailing quote placed by the. Sql Injection Tool' title='Sql Injection Tool' />Single quotes are not the only problem. Consider a search where this input is a number rather than a string. If. the user instead places SQL in the input and the developer does not. Repair Concrete Slab Patio. SQL Server will likely execute it. Secure your Web applications from SQL Injection attacks with these steps. Websites developed with dynamic SQL must be protected from SQL Injection attacks. I have already posted a beginning guide to the SQL injection here at hackersthirst already, if you havent read that post then kindly do read this below, also. SQL Injection has been a favorite hacking technique since 2007 and continues to evolve. However, It can be successfully mitigated with IIS Request Filtering. Administrative Reporting Tool Get product information, technical documents, downloads, and community content. SQL injection is a code injection technique, used to attack datadriven applications, in which nefarious SQL statements are inserted into an entry field for execution.