In-band Fix : Filtering
- Use filtering to escape black-listed characters,
- PHP and MYSQL provide functions to help do this
Out-of-band Fix : Prepared Statements
- Use a prepared query with parameters.
- Parameters are safely substituted in SQL statements.
Alternative Fix : ORM or LINQ
- Use Object-Relational Mapping (ORM) for structured DB access.
- Use LINQ in .NET to interact with databases safely.
Typical Vulnerabilities Fixes - In-band vs Out-of-band
The “in-band” solutions is to filtering to escape black listed characters.
- PHP and MySQL provide functions to help do this, guaranteeing meta-characters are quoted.
The ”out-of-band” fix is to use a prepared query with parameters carved out for the substituted positions.
- A prepared query has placeholders for parameters which will be safely substituted.
A more general ”out-of-band” solution is to use embedded programming language support for databases.
- Object-Relational Mapping (ORM) to allow databases to be interrogated via objects directly.
- LINQ, Language-Integrated Query in .NET.