|
|
(25 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
− | = DRAFT CHEAT SHEET - WORK IN PROGRESS =
| + | Moved: Please see the [[Query Parameterization Cheat Sheet]] |
− | = Introduction =
| |
− | | |
− | SQL Injection is one of the most damaging web vulnerabilities. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or facilitate command injection. This cheat sheet is a derivative work of the [[SQL Injection Prevention Cheat Sheet]].
| |
− | | |
− | = SQL Injection Prevention Overview =
| |
− | | |
− | SQL Injection is best prevented through the use of [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29 ''parametrized queries'']. The following chart demonstrates, with real-world code samples, how to build parametrized queries in most of the common web languages.
| |
− | | |
− | {| class="wikitable nowraplinks"
| |
− | |-
| |
− | ! Language
| |
− | ! Parametrized Query
| |
− | |-
| |
− | | Java - Standard
| |
− | |
| |
− | String custname = request.getParameter("customerName"); // This should REALLY be validated too
| |
− | // perform input validation to detect attacks
| |
− | String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
| |
− |
| |
− | '''PreparedStatement pstmt = connection.prepareStatement( query );'''
| |
− | '''pstmt.setString( 1, custname); '''
| |
− | ResultSet results = pstmt.executeQuery( );
| |
− | |-
| |
− | | Java - Hibernate
| |
− | | TODO
| |
− | |-
| |
− | | .NET - C#
| |
− | | TODO
| |
− | |-
| |
− | | .NET - ASP.net
| |
− | | TODO
| |
− | |-
| |
− | | Ruby
| |
− | | <ul><li>Project.all(:conditions => "name = ?", name)<li>Project.all(:conditions => { :name => name })<li>Project.all(:conditions => "name = '#{params[:name]}'")</ul>
| |
− | |}
| |
− | | |
− | = Related Articles =
| |
− | | |
− | {{Cheatsheet_Navigation}}
| |
− | | |
− | = Authors and Primary Editors =
| |
− | | |
− | Jim Manico - jim [at] owasp.org
| |
− | | |
− | [[Category:Cheatsheets]]
| |
Latest revision as of 08:49, 9 March 2012
Moved: Please see the Query Parameterization Cheat Sheet