This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Query Parameterization Cheat Sheet (Hawaiian Pidgin English)"
m (this to dis) |
m (this to da) |
||
Line 8: | Line 8: | ||
__TOC__{{TOC hidden}} | __TOC__{{TOC hidden}} | ||
− | 'Ey, Howzit? One [[SQL Injection]] is da moddah of all web vulnerabilities. Fo' real! So much so that it's | + | 'Ey, Howzit? One [[SQL Injection]] is da moddah of all web vulnerabilities. Fo' real! So much so that it's da [[Top_10_2013-A1|#1 item in da OWASP Top 10]]. It represents a serious threat because SQL Injection allows evil attacker code to change da structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to da underlying OS. |
− | Dis cheat sheet is a derivative work of | + | Dis cheat sheet is a derivative work of da [[SQL Injection Prevention Cheat Sheet]]. Mahalos yeah fo' checking out dis place. Shoots! |
= Parameterized Query Examples = | = Parameterized Query Examples = | ||
− | SQL Injection is best prevented through the use of [[SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29|''parameterized queries'']]. | + | SQL Injection is best prevented through the use of [[SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29|''parameterized queries'']]. Da following chart demonstrates, with real-world code samples, how to build parameterized queries in most of da common web languages. Da purpose of these code samples is to demonstrate to da web developer how to avoid SQL Injection when building database queries within a web application. |
== Prepared Statement Examples == | == Prepared Statement Examples == | ||
Line 101: | Line 101: | ||
== Stored Procedure Examples == | == Stored Procedure Examples == | ||
− | + | Da SQL you write in your web application isn't da only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities. To ensure dis dynamic SQL is secure, you can parameterize dis dynamic SQL too using bind variables. Here are some examples of using bind variables in stored procedures in different databases: | |
{| class="wikitable nowraplinks" | {| class="wikitable nowraplinks" | ||
Line 110: | Line 110: | ||
| Oracle - PL/SQL | | Oracle - PL/SQL | ||
| | | | ||
− | Normal Stored Procedure - no dynamic SQL being created. Parameters passed in to stored procedures are naturally bound to their location within | + | Normal Stored Procedure - no dynamic SQL being created. Parameters passed in to stored procedures are naturally bound to their location within da query without anything special being required. |
PROCEDURE SafeGetBalanceQuery( | PROCEDURE SafeGetBalanceQuery( | ||
Line 121: | Line 121: | ||
| Oracle - PL/SQL | | Oracle - PL/SQL | ||
| | | | ||
− | Stored Procedure Using Bind Variables in SQL Run with EXECUTE. Bind variables are used to tell | + | Stored Procedure Using Bind Variables in SQL Run with EXECUTE. Bind variables are used to tell da database that da inputs to dis dynamic SQL are 'data' and not possibly code. |
PROCEDURE AnotherSafeGetBalanceQuery( | PROCEDURE AnotherSafeGetBalanceQuery( | ||
Line 136: | Line 136: | ||
| SQL Server- Transact-SQL | | SQL Server- Transact-SQL | ||
| | | | ||
− | Normal Stored Procedure - no dynamic SQL being created. Parameters passed in to stored procedures are naturally bound to | + | Normal Stored Procedure - no dynamic SQL being created. Parameters passed in to stored procedures are naturally bound to da location within da query without anything special being required. |
PROCEDURE SafeGetBalanceQuery( | PROCEDURE SafeGetBalanceQuery( | ||
Line 147: | Line 147: | ||
| SQL Server- Transact-SQL | | SQL Server- Transact-SQL | ||
| | | | ||
− | Stored Procedure Using Bind Variables in SQL Run with EXEC. Bind variables are used to tell | + | Stored Procedure Using Bind Variables in SQL Run with EXEC. Bind variables are used to tell da database that da inputs to dis dynamic SQL are 'data' and not possibly code. |
PROCEDURE SafeGetBalanceQuery(@UserID varchar(20), | PROCEDURE SafeGetBalanceQuery(@UserID varchar(20), | ||
Line 161: | Line 161: | ||
= References = | = References = | ||
− | * [http://bobby-tables.com/ | + | * [http://bobby-tables.com/ Da Bobby Tables site (inspired by da XKCD webcomic) has numerous examples in different languages of parameterized Prepared Statements and Stored Procedures] |
* OWASP [[SQL Injection Prevention Cheat Sheet]] | * OWASP [[SQL Injection Prevention Cheat Sheet]] | ||
Revision as of 13:47, 7 July 2014
Last revision (mm/dd/yy): 07/7/2014 Introduction'Ey, Howzit? One SQL Injection is da moddah of all web vulnerabilities. Fo' real! So much so that it's da #1 item in da OWASP Top 10. It represents a serious threat because SQL Injection allows evil attacker code to change da structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to da underlying OS. Dis cheat sheet is a derivative work of da SQL Injection Prevention Cheat Sheet. Mahalos yeah fo' checking out dis place. Shoots! Parameterized Query ExamplesSQL Injection is best prevented through the use of parameterized queries. Da following chart demonstrates, with real-world code samples, how to build parameterized queries in most of da common web languages. Da purpose of these code samples is to demonstrate to da web developer how to avoid SQL Injection when building database queries within a web application. Prepared Statement Examples
Stored Procedure ExamplesDa SQL you write in your web application isn't da only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities. To ensure dis dynamic SQL is secure, you can parameterize dis dynamic SQL too using bind variables. Here are some examples of using bind variables in stored procedures in different databases:
References
Authors and Primary EditorsJim Manico - jim [at] owasp.org Other Cheatsheets |