A: SQL Injection is an attack on databases with a web server front-end. The issue involves the application not properly 'sanitizing' input data. By submitting a carefully crafted response the attacker is able to gain unauthorized access to the database. This access can take various forms including read access, the ability to change data and can also be used in some cases to completely compromise the entire database server.
Q: What is SQL Injection?
A: You must ensure that ALL input data is properly verified and only the specific data requested is passed to the web application. For example, if the user is asked for a ZIP code only accept the digits 0-9 and perhaps a dash to be input. Check for the proper length and format of each data input field. Don't forget input areas such as search fields, "Contact Us" forms, etc.
Q: What is Blind SQL Injection?
A: Blind SQL Injection is a variation on the standard SQL Injection attack. Blind SQL Injection attacks occur when a web application is vulnerable to SQL Injection but does not display results to the attacker. This type of attack usually takes longer and requires different tools to perform. The use of parameterized statements can help prevent this type of attack.
A: Whether or not XSS attacks can be completely eliminated might be open for debate. However, just like SQL Injection, XSS vulnerabilities can be greatly reduced by properly sanitizing input data. Only allow the specific input data requested. Some times this is not enough to prevent XSS attacks. Proper cookie security is another issue that needs to be addressed. Click here for a reference to other techniques for preventing XSS attacks.