Revision as of 13:45, 7 July 2014

Last revision (mm/dd/yy): 07/7/2014

Introduction

1 Introduction
2 Parameterized Query Examples
- 2.1 Prepared Statement Examples
- 2.2 Stored Procedure Examples
3 References
4 Authors and Primary Editors
- 4.1 Other Cheatsheets

'Ey, Howzit? One SQL Injection is da moddah of all web vulnerabilities. Fo' real! So much so that it's the #1 item in the OWASP Top 10. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS. Dis cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet. Mahalos yeah fo' checking out dis place. Shoots!

Parameterized Query Examples

SQL Injection is best prevented through the use of parameterized queries. The following chart demonstrates, with real-world code samples, how to build parameterized queries in most of the common web languages. The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when building database queries within a web application.

Prepared Statement Examples

Stored Procedure Examples

The SQL you write in your web application isn't the only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities. To ensure dis dynamic SQL is secure, you can parameterize dis dynamic SQL too using bind variables. Here are some examples of using bind variables in stored procedures in different databases:

References

Authors and Primary Editors

Jim Manico - jim [at] owasp.org
Dave Wichers - dave.wichers [at] aspectsecurity.com
Neil Matatal - neil [at] owasp.org

Other Cheatsheets

V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category

@@ Line 8: / Line 8: @@
   __TOC__{{TOC hidden}}
-'Ey, Howzit? One [[SQL Injection]] is da moddah of all web vulnerabilities. Fo' real! So much so that it's the [[Top_10_2013-A1|#1 item in the OWASP Top 10]].  It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS.  This cheat sheet is a derivative work of the [[SQL Injection Prevention Cheat Sheet]].  Mahalos yeah fo' checking out dis place. Shoots!
+'Ey, Howzit? One [[SQL Injection]] is da moddah of all web vulnerabilities. Fo' real! So much so that it's the [[Top_10_2013-A1|#1 item in the OWASP Top 10]].  It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS.
+Dis cheat sheet is a derivative work of the [[SQL Injection Prevention Cheat Sheet]].  Mahalos yeah fo' checking out dis place. Shoots!
 = Parameterized Query Examples =
@@ Line 36: / Line 37: @@
   //Criteria API
-  String userSuppliedParameter = request.getParameter("Product-Description"); // This should REALLY be validated too
+  String userSuppliedParameter = request.getParameter("Product-Description"); // Dis should REALLY be validated too
   // perform input validation to detect attacks
   Inventory inv = (Inventory) session.createCriteria(Inventory.class).add
@@ Line 100: / Line 101: @@
 == Stored Procedure Examples ==
-The SQL you write in your web application isn't the only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities. To ensure this dynamic SQL is secure, you can parameterize this dynamic SQL too using bind variables. Here are some examples of using bind variables in stored procedures in different databases:
+The SQL you write in your web application isn't the only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities. To ensure dis dynamic SQL is secure, you can parameterize dis dynamic SQL too using bind variables. Here are some examples of using bind variables in stored procedures in different databases:
 {| class="wikitable nowraplinks"
@@ Line 120: / Line 121: @@
 | Oracle - PL/SQL
 |
-Stored Procedure Using Bind Variables in SQL Run with EXECUTE. Bind variables are used to tell the database that the inputs to this dynamic SQL are 'data' and not possibly code.
+Stored Procedure Using Bind Variables in SQL Run with EXECUTE. Bind variables are used to tell the database that the inputs to dis dynamic SQL are 'data' and not possibly code.
    PROCEDURE AnotherSafeGetBalanceQuery(
@@ Line 146: / Line 147: @@
 | SQL Server- Transact-SQL
 |
-Stored Procedure Using Bind Variables in SQL Run with EXEC. Bind variables are used to tell the database that the inputs to this dynamic SQL are 'data' and not possibly code.
+Stored Procedure Using Bind Variables in SQL Run with EXEC. Bind variables are used to tell the database that the inputs to dis dynamic SQL are 'data' and not possibly code.
    PROCEDURE SafeGetBalanceQuery(@UserID varchar(20),

Difference between revisions of "Query Parameterization Cheat Sheet (Hawaiian Pidgin English)"

Revision as of 13:45, 7 July 2014

Introduction

Parameterized Query Examples

Prepared Statement Examples

Stored Procedure Examples

References

Authors and Primary Editors

Other Cheatsheets

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools