Defending against SQL injection – code-level defenses
As we said earlier, applying code-level defenses, if done correctly, should foil all the plans of a malicious agent that wishes to attack your application. Of course, mistakes can always be made, and that is why the wisest thing to do is to apply various defense mechanisms all at once. In this section, we will explore the main tools at our disposal to thwart possible attacks against our application in terms of SQL injection. We will also see how these controls can be implemented into actual code in three common programming languages for developing web applications: Java, PHP, and .NET.
Input validation
Input validation is the process of accepting or rejecting input based on its content. We only want safe input to be processed by our application, preventing most of the attacks against us. So, only valid input, according to our rules, is accepted and processed by our application.
Validation follows two main approaches...