Always validate user input received from a database client or application by testing type, length, format, and range prior to transmitting it to the database server. Sanitizing user input drastically minimizes risk of SQL injection. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
The following steps can be taken to remediate SQL injection vulnerabilities: - Review TSQL and application code for SQL Injection - Only permit minimally privileged accounts to send user input to the server - Minimize the risk of SQL injection attack by using parameterized commands and stored procedures - Reject user input containing binary data, escape sequences, and comment characters - Always validate user input and do not use it directly to build SQL statements Impact: Sanitize user input may require changes to application code or database object syntax. These changes can require applications or databases to be taken temporarily off-line. Any change to TSQL or application code should be thoroughly tested in testing environment before production implementation.