Thursday, June 19, 2008

I open sourced a project on CodePlex for handling SQL injection attacks.  The main piece is an httpModule that you can have check requests to the web server.  It’s very primitive at the moment, using a blacklist to filter request values (Querystring, Form and Cookies).  For example, “lend” and “Bender” both fail the validation check because the word “end” is on the black list (we will disregard the fact that we may use the word “end” somewhere).  So, what are the best practices for handling SQL statements posted to a web server?  Is there some preexecution check, or better heuristics for filtering?

The project can be found here: