0

I was trying to write my own filter before I came across antisamy project that allows you to configure and prevent XSS attack. But I was just wondering if same can be used to prevent sql injection attack?

Any one who has implemented antisamy to prevent sql injection attack can you please let me know how can we go forward.

astra03
  • 505
  • 1
  • 7
  • 18

3 Answers3

5

No, Antisamy doesn't protect you against SQL injections.

In order to prevent SQL injection attacks, a first step is to use prepared statements. OWASP has a good guide on this.

samottenhoff
  • 720
  • 4
  • 14
Kai Sternad
  • 22,214
  • 7
  • 47
  • 42
  • we are using callable statement for invoking procedures but the real issue is we are building the sql queries in our procedure to execute certain business logic and this procedure are large and complex and re-factoring sql queries is difficult and will take a long time to test the entire functionality and hence was looking for much better option – astra03 Oct 17 '13 at 19:55
0

I have used a custom filter to remove all the suspicious character that can be used to do SQL injection attack. We are using callable statement but the real problem was the procedure code were we are building SQL queries to perform certain business logic and this procedure are large in number and complex, rewriting it would be an additional effort both from developer and functional users end and hence we though filtering and removing all such character that could be leading to injection attack will be a optimal short term solution considering our present situation.

astra03
  • 505
  • 1
  • 7
  • 18
0

Antisamy was used for XSS issue

Antisamy was implemented only in JAVA & DOT NET or if available for python Plz give me the details

sathish
  • 149
  • 9