Abridged SQL Injection Prevention Cheat Sheet
DRAFT CHEAT SHEET - WORK IN PROGRESS
SQL Injection is one of the most damaging web vulnerabilities. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or facilitate command injection. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.
SQL Injection Prevention Overview
SQL Injection is best prevented through the use of parametrized queries. The following chart demonstrates, with real-world code samples, how to build parametrized queries in most of the common web languages.
|Java - Standard||
String custname = request.getParameter("customerName"); // This should REALLY be validated too // perform input validation to detect attacks String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( );
|Java - Hibernate||TODO|
|.NET - C#||TODO|
|.NET - ASP.net||TODO|
OWASP Cheat Sheets Project Homepage
Authors and Primary Editors
Jim Manico - jim [at] owasp.org