Well, if your a web developer (this also applies to desktop developer, it's not exclusive for web developers although that is probably where it most common) the first thing you need to remember is that EVERYTHING ON THE CLIENT IS COMPROMISED.
Proof your queries against SQL injectionsIn case you don't know what an SQL injection is I highly suggest you take a break from your current programming task and read more about it. Basically SQL injections is inserting code you did not intend to into your queries, code that can do harm.
Here is an example from PHP's guide about SQL injection:
Let's assume this code exists on your server:
Now, imagine that instead of a regular size the user would send you this string instead:
$query = "SELECT id, name, inserted, size FROM products
WHERE size = '$size'";$result = odbc_exec($conn, $query);
This would basically print all the users in your system including their password.' union select '1', concat(uname||'-'||passwd) as name, '1971-01-01', '0' from usertable; --
SQL Injections can do nasty things like download all your username/passwords/credit-cards, delete it (no example, sorry) and even break down your site!
So what can you do?
There are numerous ways to protect yourself against SQL injections. It all depends on your programming language of choice. However, the 3 basic methods which are recommended for everyone (and are also listed on Wikipedia are:
1. Use escaping - special command that disables the special meaning for characters
2. Check you data is formmated as you'd expect it to (i.e. phone number appears as phone number, name doesn't contain things it should, email is firstname.lastname@example.org*)
3. Limited permissions - make sure your queries use the most limited permissions as possible.
Two more noteable methods to use:
4. Use predefined formatted queries - which don't allow much room for leeway.
5. Use frameworks/tested environments - things like Codeigniter, Wordpress, Blogger, Wikipedia, etc. Are well tested tools used by millions around the world. Most chances that they already ironed out the security bugs you haven't thought about.
Keep sensitive data on database encryptedIf someone does retrieve your database chances are this won't help very much. But it sure would make their life more difficult to decrypt the information they already have, giving you precious time to change this information on the server. I'm referring you to Coding Horror excellent post regarding which algorithm to choose (it appears at the end).
And now, some funny sql injection pictures:
XKCD: Exploits of a Mom
SQL Injection TShirt