/ Web development

SQL Injection - a few ways to prevent it

Till today, I never take seriously what in fact is SQL injection and how SQL queries can be tampered with. Maybe and because the projects that I worked till now weren't so big and I wasn't afraid for the information in DB, because the information wasn't some kind of a secret. What about you (or I) have to work on secure new project where that matters more?

SQL injection is the name for a general class of attacks that can allow nefarious users to retrieve data, alter server settings, or even take over your server if you're not careful. SQL injection is not a SQL Server problem, but a problem with improperly written applications.

Some ways to prevent SQL Injection are:

• perform a regular expression match - if the user input field is for example "email" you can prevent "bad symbols"  with an reg expression.
• escaping quotes - not every input field can be verified with an expression, "company name" can hold many different symbols.
• configure error reporting - well when one site is on the Internet, then it is good noone can see if there are some errors from queries. The problem is that when a query is wrong in some way and the error is printed the possible attacker can see names of databese tables and fields.  In PHP errors can be stopped with
  error_reporting(0);
  ini_set('display_errors', 0);
  
• use stored procedures for database access - this is what I am learning right now, but I read that is secure way.