Difference between revisions of "Abridged SQL Injection Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
(Parametrized Query Examples)
Line 48: Line 48:
 
|   
 
|   
 
  '''# Create'''
 
  '''# Create'''
  '''Project.create!(:name => 'owasp')'''
+
  Project.create!(:name => 'owasp')
 
  '''# Read'''
 
  '''# Read'''
  '''Project.all(:conditions => "name = ?", name)'''
+
  Project.all(:conditions => "name = ?", name)
  '''Project.all(:conditions => { :name => name })'''
+
  Project.all(:conditions => { :name => name })
  '''Project.where("name = :name", :name => name)'''
+
  Project.where("name = :name", :name => name)
 
  '''# Update'''
 
  '''# Update'''
  '''project.update_attributes(:name => 'owasp')'''
+
  project.update_attributes(:name => 'owasp')
 
  '''# Delete'''
 
  '''# Delete'''
  '''Project.delete(:name => 'name')'''
+
  Project.delete(:name => 'name')
 
|-
 
|-
 
| PHP - PDO
 
| PHP - PDO

Revision as of 16:04, 18 November 2011

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

SQL Injection is one of the most damaging web vulnerabilities. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or facilitate command injection. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.

Parametrized Query Examples

SQL Injection is best prevented through the use of parametrized queries. The following chart demonstrates, with real-world code samples, how to build parametrized queries in most of the common web languages.

Related Articles

OWASP Cheat Sheets Project Homepage


Authors and Primary Editors

Jim Manico - jim [at] owasp.org