Encrypting query string to prevent sql injection

ChrisFarrugia

Dear all, From your experiences, does encrypting the query string help in preventing sql injection? Thanks a lot, Chris

Mark J Miller

It seems to me the wrong solution to the problem. To prevent injection attacks you should be using parameters for all values. If you are dynamically building strings you shouldn't be using direct user input. This will protect your sql stamtents at the level they should be. If an attacker finds away around your protections they you're subject to attacks all over again. Properly written sql is the only way to prevent against attacks - parameters and never concatenating user input into your strings.

Mark's blog: developMENTALmadness.blogspot.com