This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Abridged SQL Injection Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
m (SQL Injection Prevention Overview)
m (Parametrized Query Examples)
Line 15: Line 15:
 
| Java - Standard
 
| Java - Standard
 
|   
 
|   
  String custname = request.getParameter("customerName");  
+
String custname = request.getParameter("customerName");  
  String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
+
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
 
+
'''PreparedStatement pstmt = connection.prepareStatement( query );'''
  '''PreparedStatement pstmt = connection.prepareStatement( query );'''
+
'''pstmt.setString( 1, custname); '''
  '''pstmt.setString( 1, custname); '''
+
ResultSet results = pstmt.executeQuery( );
  ResultSet results = pstmt.executeQuery( );
 
 
|-
 
|-
 
| Java - Hibernate
 
| Java - Hibernate

Revision as of 02:22, 18 November 2011

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

SQL Injection is one of the most damaging web vulnerabilities. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or facilitate command injection. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.

Parametrized Query Examples

SQL Injection is best prevented through the use of parametrized queries. The following chart demonstrates, with real-world code samples, how to build parametrized queries in most of the common web languages.

Related Articles

OWASP Cheat Sheets Project Homepage


Authors and Primary Editors

Jim Manico - jim [at] owasp.org