Menu
I just met a developer who prepended every table and column name in his MYSQL databases with an underscore (e.g. _users, _name, _active). When I questioned the practice he stated that this helps prevent SQL injection attacks - I have never come across this practice/advice before. How does it help to prevent SQL injection attacks?
687
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
1. Which of the following statement is TRUE about SQL Injection? Explanation: SQL Injection is a Code Penetration Technique and loss to our database could be caused due to SQL Injection.
The most common methods for detecting SQL injection attacks are web framework, static and dynamic analysis, and machine learning technique.
_this, _ here has no relation to security ,with that it can be vulnerable
Good read
Best way to prevent SQL injection?
40
No.
His thinking goes "If the attacker doesn't know the name of my tables, then the attacker can't mess with them." However, you're still vulnerable to SQL injection, and the attacker can still cause arbitrary system calls, perhaps to well-known system tables. What if he adds some SQL code that causes very long queries against a system table that bogs down your server?
Security through obscurity is no security at all.
55
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
