SQL injection attacks occur when an application generates a SQL query that are concatenated along with user input. The user enters information through the application interface that becomes part of the SQL statement executed against the database.
Practices for preventing SQL injection attacks.
1.Cleaning and Validating input.
Cleaning and validating the input from the user ie trim() and validating the length of the user input,if the length of user input in more than expected then it may be affected by sql injection.
2.Using stored procedures.
stored procedures type-check input parameters,static stored procedures don’t take parameters and hence they are safe to use,Stored procedures which contain only parameterized SQL are also resistant to sql injection.
3.Using dynamic SQL.
Using prepared statements which generates dynamic query.
4.Use Least Privilege Database account.
giving least privileges access to database user.like giving only selected permissions
to particular tables.