This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Query Parameterization Cheat Sheet

Revision as of 18:43, 5 June 2014 by Wichers (talk | contribs)

Jump to: navigation, search

Last revision (mm/dd/yy): 06/5/2014


SQL Injection is one of the most dangerous web vulnerabilities. So much so that it's the #1 item in the OWASP Top 10. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.

Parameterized Query Examples

SQL Injection is best prevented through the use of parameterized queries. The following chart demonstrates, with real-world code samples, how to build parameterized queries in most of the common web languages. The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when building database queries within an web application.

Authors and Primary Editors

Jim Manico - jim [at]
Dave Wichers - dave.wichers [at]
Neil Matatal - neil [at]

Other Cheatsheets