This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Abridged SQL Injection Prevention Cheat Sheet"
m (→SQL Injection Prevention Overview) |
m (→SQL Injection Prevention Overview) |
||
| Line 55: | Line 55: | ||
| | | | ||
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)"); | $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)"); | ||
| − | $stmt->bindParam(':name', $name); | + | ''$stmt->bindParam(':name', $name);'' |
| − | $stmt->bindParam(':value', $value); | + | ''$stmt->bindParam(':value', $value);'' |
|- | |- | ||
| Cold Fusion | | Cold Fusion | ||
| | | | ||
<cfquery name = "getFirst" dataSource = "cfsnippets"> | <cfquery name = "getFirst" dataSource = "cfsnippets"> | ||
| − | SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID = | + | ''SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID ='' |
| − | <cfqueryparam value = #intCourseID# CFSQLType = "CF_SQL_INTEGER"> | + | ''<cfqueryparam value = #intCourseID# CFSQLType = "CF_SQL_INTEGER">'' |
</cfquery> | </cfquery> | ||
| + | |- | ||
| + | | Perl - DBI | ||
| + | | | ||
| + | my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; | ||
| + | ''my $sth = $dbh->prepare( $sql );'' | ||
| + | ''$sth->execute( $bar, $baz );'' | ||
|} | |} | ||
Revision as of 02:16, 18 November 2011
DRAFT CHEAT SHEET - WORK IN PROGRESS
Introduction
SQL Injection is one of the most damaging web vulnerabilities. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or facilitate command injection. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.
SQL Injection Prevention Overview
SQL Injection is best prevented through the use of parametrized queries. The following chart demonstrates, with real-world code samples, how to build parametrized queries in most of the common web languages.
| Language | Parametrized Query |
|---|---|
| Java - Standard |
String custname = request.getParameter("customerName");
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
|
| Java - Hibernate |
Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid");
safeHQLQuery.setParameter("productid", userSuppliedParameter);
|
| .NET - C# |
String query = "SELECT account_balance FROM user_data WHERE user_name = ?";
try {
OleDbCommand command = new OleDbCommand(query, connection);
command.Parameters.Add(new OleDbParameter("customerName", CustomerName Name.Text));
OleDbDataReader reader = command.ExecuteReader();
// …
} catch (OleDbException se) {
// error handling
}
|
| ASP.NET |
string sql = "SELECT * FROM Customers WHERE CustomerId = @CustomerId";
SqlCommand command = new SqlCommand(sql);
command.Parameters.Add(new SqlParameter("@CustomerId", System.Data.SqlDbType.Int));
command.Parameters["@CustomerId"].Value = 1;
|
| Ruby |
Project.all(:conditions => "name = ?", name)
Project.all(:conditions => { :name => name })
Project.all(:conditions => "name = '#{params[:name]}'")
|
| PHP - PDO |
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
|
| Cold Fusion |
<cfquery name = "getFirst" dataSource = "cfsnippets">
SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID =
<cfqueryparam value = #intCourseID# CFSQLType = "CF_SQL_INTEGER">
</cfquery>
|
| Perl - DBI |
my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz ); |
Related Articles
OWASP Cheat Sheets Project Homepage
Authors and Primary Editors
Jim Manico - jim [at] owasp.org
