This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Query Parameterization Cheat Sheet (Hawaiian Pidgin English)

From OWASP
Revision as of 13:36, 7 July 2014 by Jmanico (talk | contribs)

Jump to: navigation, search
Cheatsheets-header.jpg

Last revision (mm/dd/yy): 07/7/2014

Introduction

'Ey, Howzit? One SQL Injection is da moddah of all web vulnerabilities. Fo' real! So much so that it's the #1 item in the OWASP Top 10. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet. Mahalos yeah fo' checking out dis place. Shoots!

Parameterized Query Examples

SQL Injection is best prevented through the use of parameterized queries. The following chart demonstrates, with real-world code samples, how to build parameterized queries in most of the common web languages. The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when building database queries within a web application.

Prepared Statement Examples

Stored Procedure Examples

The SQL you write in your web application isn't the only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities. To ensure this dynamic SQL is secure, you can parameterize this dynamic SQL too using bind variables. Here are some examples of using bind variables in stored procedures in different databases:

References

Authors and Primary Editors

Jim Manico - jim [at] owasp.org
Dave Wichers - dave.wichers [at] aspectsecurity.com
Neil Matatal - neil [at] owasp.org

Other Cheatsheets