This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Abridged SQL Injection Prevention Cheat Sheet"

Jump to: navigation, search
m (SQL Injection Prevention Overview)
m (SQL Injection Prevention Overview)
Line 15: Line 15:
| Java - Standard
| Java - Standard
   String custname = request.getParameter("customerName"); // This should REALLY be validated too
   String custname = request.getParameter("customerName");  
  // perform input validation to detect attacks
   String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
   String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";

Revision as of 23:46, 17 November 2011



SQL Injection is one of the most damaging web vulnerabilities. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or facilitate command injection. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.

SQL Injection Prevention Overview

SQL Injection is best prevented through the use of parametrized queries. The following chart demonstrates, with real-world code samples, how to build parametrized queries in most of the common web languages.

Related Articles

OWASP Cheat Sheets Project Homepage

Authors and Primary Editors

Jim Manico - jim [at]