This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - SQL Injection"
From OWASP
(→Discussion / Controversy) |
(→References) |
||
| Line 41: | Line 41: | ||
=== References === | === References === | ||
| − | |||
| − | |||
| − | |||
Revision as of 15:39, 6 May 2013
SQL Injection
Root Cause Summary
Applications that have insufficient input validations or non-validated literal strings concatenated into a dynamic SQL Statement and subsequently interpreted as code by the SQL Engine
Browser / Standards Solution
None
Perimeter Solution
Web Application Firewalls (WAFs) can help in reducing SQL Injection attacks by filtering popular and well known attack inputs. WAFs are driven by a set of predefined rules that can help mitigate SQL Inection attacks to a certain extent.
Complexity: High
Impact: High
Generic Framework Solution
- Parametric Queries - Use parametric queries to execute any SQL commands
- Input Validation - Validate all inputs that are passed to the SQL statement for accuracy of datatypes, boundary limits and accepted characterset
- Escape Sequences - In cases where it is not possible to use parametric queries (like legacy code), ensure that the SQL engine sensitive characters are escaped appropriately. [ To provide a seperate link for this ]
Complexity: Low
Impact: High
Custom Framework Solution
Complexity: Medium
Impact: High
Custom Code Solution
- When building custom solutions, make sure that SQL queries are not constructed dynamically with the table names and views. If that is unavoidable, validate the schema and the table/view names before constructing the SQL query.
- As a precuationay measure, ensure that the tables have appropriate access control through policies
- Whenever possible, when building custom solutions, use the underlying databases prepared queries library.
Complexity: High
Impact: High
