Revision as of 02:17, 18 November 2011

1 DRAFT CHEAT SHEET - WORK IN PROGRESS
2 Introduction
3 SQL Injection Prevention Overview
4 Related Articles
5 Authors and Primary Editors

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

SQL Injection is one of the most damaging web vulnerabilities. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or facilitate command injection. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.

SQL Injection Prevention Overview

SQL Injection is best prevented through the use of parametrized queries. The following chart demonstrates, with real-world code samples, how to build parametrized queries in most of the common web languages.

V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category

Authors and Primary Editors

Jim Manico - jim [at] owasp.org

@@ Line 55: / Line 55: @@
 |
    $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
-   ''$stmt->bindParam(':name', $name);''
+   '''$stmt->bindParam(':name', $name);'''
-   ''$stmt->bindParam(':value', $value);''
+   '''$stmt->bindParam(':value', $value);'''
 |-
 | Cold Fusion
 |
    <cfquery name = "getFirst" dataSource = "cfsnippets">
-       ''SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID =''
+       '''SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID ='''
-       ''<cfqueryparam value = #intCourseID# CFSQLType = "CF_SQL_INTEGER">''
+       '''<cfqueryparam value = #intCourseID# CFSQLType = "CF_SQL_INTEGER">'''
    </cfquery>
 |-
@@ Line 68: / Line 68: @@
 |
    my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )";
-   ''my $sth = $dbh->prepare( $sql );''
+   ''''my $sth = $dbh->prepare( $sql );'''
-   ''$sth->execute( $bar, $baz );''
+   ''$sth->execute( $bar, $baz );'''
 |}

Language	Parametrized Query
Java - Standard	String custname = request.getParameter("customerName"); String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( );
Java - Hibernate	Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid"); safeHQLQuery.setParameter("productid", userSuppliedParameter);
.NET - C#	String query = "SELECT account_balance FROM user_data WHERE user_name = ?"; try { OleDbCommand command = new OleDbCommand(query, connection); command.Parameters.Add(new OleDbParameter("customerName", CustomerName Name.Text)); OleDbDataReader reader = command.ExecuteReader(); // … } catch (OleDbException se) { // error handling }
ASP.NET	string sql = "SELECT * FROM Customers WHERE CustomerId = @CustomerId"; SqlCommand command = new SqlCommand(sql); command.Parameters.Add(new SqlParameter("@CustomerId", System.Data.SqlDbType.Int)); command.Parameters["@CustomerId"].Value = 1;
Ruby	Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.all(:conditions => "name = '#{params[:name]}'")
PHP - PDO	$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':value', $value);
Cold Fusion	<cfquery name = "getFirst" dataSource = "cfsnippets"> *SELECT FROM #strDatabasePrefix#_courses WHERE intCourseID = <cfqueryparam value = #intCourseID# CFSQLType = "CF_SQL_INTEGER">** </cfquery>
Perl - DBI	my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; 'my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz );'

Difference between revisions of "Abridged SQL Injection Prevention Cheat Sheet"

Revision as of 02:17, 18 November 2011

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

SQL Injection Prevention Overview

Related Articles

Authors and Primary Editors

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools