Defending Against SQL Injection

SQL Injection (SQLi) is an attack methodology designed to provide hackers with access to database assets.  SQLi takes advantage of poorly secured web applications to create a connection to the database.  This is done by inputting a SQL command into an input field of a web application.  Once an “injection hole” is found, hackers are free to “explore” the database in search of database vulnerabilities they can exploit.

Network-based defenses, such as Web Application Firewalls (WAFs), are one line of defense against SQLi attacks.  However, they are limited by their ability to keep pace with the latest SQLi attack signatures.  The experienced hacker will eventually find a way through these perimeter defenses..

Read more in Here [PDF format]