Menu
I agree that correct input validation is the only 'fool-proof' way to prevent SQL Injection, however it requires modifying a lot of code in existing applications, possibly might require a badly designed application to be re-structured.
There has been a lot of academic interest in automated mechanisms to prevent SQL Injection (won't go on listing them here, I've done a literature survey and seen at least 20), but I haven't seen anything that's actually been implemented.
Does anyone know of any framework that's actually in use outside an academic environment, either Signature-Based, Anomaly-Based, or otherwise?
Edit: I'm looking for something that does not modify the code-base.
959
The company i work for uses Barracuda Web Application Firewall for what you are talking about. From what I have seen it works fairly well. Basically if it detects suspect input it will redirect the user to a page of our choosing. This allows you to place a layer between the internet and your applications and does not require you to change any of your code.
That said, it's a bad idea to not secure your applications.
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
