This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Abridged SQL Injection Prevention Cheat Sheet"
m (→SQL Injection Prevention Overview) |
m (→SQL Injection Prevention Overview) |
||
Line 32: | Line 32: | ||
|- | |- | ||
| Ruby | | Ruby | ||
− | | | + | | |
+ | Project.all(:conditions => "name = ?", name) | ||
+ | Project.all(:conditions => { :name => name }) | ||
+ | Project.all(:conditions => "name = '#{params[:name]}'") | ||
|} | |} | ||
Revision as of 23:48, 17 November 2011
DRAFT CHEAT SHEET - WORK IN PROGRESS
Introduction
SQL Injection is one of the most damaging web vulnerabilities. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or facilitate command injection. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.
SQL Injection Prevention Overview
SQL Injection is best prevented through the use of parametrized queries. The following chart demonstrates, with real-world code samples, how to build parametrized queries in most of the common web languages.
Language | Parametrized Query |
---|---|
Java - Standard |
String custname = request.getParameter("customerName"); String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); |
Java - Hibernate | TODO |
.NET - C# | TODO |
.NET - ASP.net | TODO |
Ruby |
Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.all(:conditions => "name = '#{params[:name]}'") |
Related Articles
OWASP Cheat Sheets Project Homepage
Authors and Primary Editors
Jim Manico - jim [at] owasp.org