Difference between revisions of "Abridged SQL Injection Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
(Parametrized Query Examples)
(Parametrized Query Examples)
Line 45: Line 45:
 
  command.Parameters["@CustomerId"].Value = 1;
 
  command.Parameters["@CustomerId"].Value = 1;
 
|-
 
|-
| Ruby
+
| Ruby - ActiveRecord
 
|  
 
|  
 
  '''Project.all(:conditions => "name = ?", name)'''
 
  '''Project.all(:conditions => "name = ?", name)'''
 
  '''Project.all(:conditions => { :name => name })'''
 
  '''Project.all(:conditions => { :name => name })'''
 +
'''Project.where("name = :name", :name => name)'''
 
|-
 
|-
 
| PHP - PDO
 
| PHP - PDO

Revision as of 16:40, 18 November 2011

Contents

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

SQL Injection is one of the most damaging web vulnerabilities. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or facilitate command injection. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.

Parametrized Query Examples

SQL Injection is best prevented through the use of parametrized queries. The following chart demonstrates, with real-world code samples, how to build parametrized queries in most of the common web languages.

Related Articles

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets

Authors and Primary Editors

Jim Manico - jim [at] owasp.org