Difference between revisions of "Abridged SQL Injection Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Authors and Primary Editors)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
SQL Injection is one of the most damaging web vulnerabilities.  It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or facilitate command injection.  This cheat sheet is a derivative work of the [[SQL Injection Prevention Cheat Sheet]].
+
[[SQL Injection]] is one of the most dangerous web vulnerabilities. So, much so that its the [[Top_10_2010-A1|#1 item in the OWASP Top 10]].  It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS.  This cheat sheet is a derivative work of the [[SQL Injection Prevention Cheat Sheet]].
  
 
= Parametrized Query Examples =
 
= Parametrized Query Examples =
  
SQL Injection is best prevented through the use of [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29 ''parametrized queries'']. The following chart demonstrates, with real-world code samples, how to build parametrized queries in most of the common web languages. The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when communicating to a database.
+
SQL Injection is best prevented through the use of [[SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29|''parameterized queries'']]. The following chart demonstrates, with real-world code samples, how to build parameterized queries in most of the common web languages. The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when communicating to a database.
  
 
{| class="wikitable nowraplinks"
 
{| class="wikitable nowraplinks"
 
|-
 
|-
 
! Language - Library
 
! Language - Library
! Parametrized Query
+
! Parameterized Query
 
|-
 
|-
 
| Java - Standard
 
| Java - Standard

Revision as of 08:58, 21 November 2011

Introduction

SQL Injection is one of the most dangerous web vulnerabilities. So, much so that its the #1 item in the OWASP Top 10. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.

Parametrized Query Examples

SQL Injection is best prevented through the use of parameterized queries. The following chart demonstrates, with real-world code samples, how to build parameterized queries in most of the common web languages. The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when communicating to a database.

Related Articles

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets

Authors and Primary Editors

Jim Manico - jim [at] owasp.org
Dave Wichers - dave.wichers [at] aspectsecurity.com
Neil Matatal - neil [at] owasp.org