Difference between revisions of "Query Parameterization Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Other Cheatsheets)
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
  __NOTOC__
 
  __NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
+
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
= Introduction =
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
= Introduction =
 +
__TOC__{{TOC hidden}}
  
[[SQL Injection]] is one of the most dangerous web vulnerabilities. So much so that it's the [[Top_10_2010-A1|#1 item in the OWASP Top 10]].  It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS.  This cheat sheet is a derivative work of the [[SQL Injection Prevention Cheat Sheet]].
+
[[SQL Injection]] is one of the most dangerous web vulnerabilities. So much so that it's the [[Top_10_2013-A1|#1 item in the OWASP Top 10]].  It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS.  This cheat sheet is a derivative work of the [[SQL Injection Prevention Cheat Sheet]].
  
 
= Parameterized Query Examples =
 
= Parameterized Query Examples =
  
SQL Injection is best prevented through the use of [[SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29|''parameterized queries'']]. The following chart demonstrates, with real-world code samples, how to build parameterized queries in most of the common web languages. The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when building database queries within an web application.
+
SQL Injection is best prevented through the use of [[SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29|''parameterized queries'']]. The following chart demonstrates, with real-world code samples, how to build parameterized queries in most of the common web languages. The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when building database queries within a web application.
 +
 
 +
== Prepared Statement Examples ==
  
 
{| class="wikitable nowraplinks"
 
{| class="wikitable nowraplinks"
Line 28: Line 32:
 
|
 
|
 
  //HQL  
 
  //HQL  
  Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid");
+
  @Entity // declare as entity;
  safeHQLQuery.setParameter("productid", userSuppliedParameter);
+
'''@NamedQuery('''
 +
  '''name="findByDescription",'''
 +
  '''query="FROM Inventory i WHERE i.productDescription = :productDescription"'''
 +
''')'''
 +
public class Inventory implements Serializable {
 +
  @Id
 +
  private long id;
 +
  private String productDescription;
 +
}<br/>
 +
// use case
 +
String userSuppliedParameter = request.getParameter("Product-Description"); // This should REALLY be validated too
 +
// perform input validation to detect attacks
 +
  '''List<Inventory> list ='''
 +
  '''session.getNamedQuery("findByDescription")'''
 +
  '''.setParameter("productDescription", userSuppliedParameter).list();'''
  
 
  //Criteria API
 
  //Criteria API
Line 93: Line 111:
 
  '''$sth->execute( $bar, $baz );'''
 
  '''$sth->execute( $bar, $baz );'''
 
|}
 
|}
 +
 +
== Stored Procedure Examples ==
 +
 +
The SQL you write in your web application isn't the only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities. To ensure this dynamic SQL is secure, you can parameterize this dynamic SQL too using bind variables. Here are some examples of using bind variables in stored procedures in different databases:
 +
 +
{| class="wikitable nowraplinks"
 +
|-
 +
! Language - Library
 +
! Parameterized Query
 +
|-
 +
| Oracle - PL/SQL
 +
|
 +
Normal Stored Procedure - no dynamic SQL being created. Parameters passed in to stored procedures are naturally bound to their location within the query without anything special being required.
 +
 +
  PROCEDURE SafeGetBalanceQuery(
 +
    UserID varchar, Dept varchar) AS BEGIN
 +
 
 +
    SELECT balance FROM accounts_table WHERE user_ID = UserID AND department = Dept;
 +
  END;
 +
 +
|-
 +
| Oracle - PL/SQL
 +
 +
Stored Procedure Using Bind Variables in SQL Run with EXECUTE. Bind variables are used to tell the database that the inputs to this dynamic SQL are 'data' and not possibly code.
 +
 +
  PROCEDURE AnotherSafeGetBalanceQuery(
 +
    UserID varchar, Dept varchar) AS
 +
    stmt VARCHAR(400); result NUMBER;
 +
 
 +
  BEGIN
 +
    stmt := 'SELECT balance FROM accounts_table WHERE user_ID = :1
 +
      AND department = :2';
 +
    EXECUTE IMMEDIATE stmt INTO result USING UserID, Dept;
 +
    RETURN result;
 +
  END;
 +
|-
 +
| SQL Server- Transact-SQL
 +
|
 +
Normal Stored Procedure - no dynamic SQL being created. Parameters passed in to stored procedures are naturally bound to their location within the query without anything special being required.
 +
 +
  PROCEDURE SafeGetBalanceQuery(
 +
    @UserID varchar(20),
 +
    @Dept varchar(10)) AS BEGIN
 +
 
 +
    SELECT balance FROM accounts_table WHERE user_ID = @UserID AND department = @Dept
 +
  END
 +
|-
 +
| SQL Server- Transact-SQL
 +
|
 +
Stored Procedure Using Bind Variables in SQL Run with EXEC. Bind variables are used to tell the database that the inputs to this dynamic SQL are 'data' and not possibly code.
 +
 +
  PROCEDURE SafeGetBalanceQuery(@UserID varchar(20),
 +
      @Dept varchar(10)) AS BEGIN
 +
    DECLARE @sql VARCHAR(200)
 +
    SELECT @sql = 'SELECT balance FROM accounts_table WHERE '
 +
      + 'user_ID = @UID AND department = @DPT'
 +
    EXEC sp_executesql @sql,
 +
      '@UID VARCHAR(20), @DPT VARCHAR(10)',
 +
      @UID=@UserID, @DPT=@Dept
 +
  END
 +
|}
 +
 +
= References =
 +
* [http://bobby-tables.com/ The Bobby Tables site (inspired by the XKCD webcomic) has numerous examples in different languages of parameterized Prepared Statements and Stored Procedures]
 +
* OWASP [[SQL Injection Prevention Cheat Sheet]]
 +
  
 
= Authors and Primary Editors  =
 
= Authors and Primary Editors  =
  
 
Jim Manico - jim [at] owasp.org<br/>
 
Jim Manico - jim [at] owasp.org<br/>
Dave Wichers - dave.wichers [at] aspectsecurity.com<br/>
+
[[User:Wichers|Dave Wichers - dave.wichers]] [at] owasp.org<br/>
 
Neil Matatal - neil [at] owasp.org
 
Neil Matatal - neil [at] owasp.org
  
== Other Cheatsheets ==
+
 
 +
= Other Cheatsheets =
  
 
{{Cheatsheet_Navigation_Body}}
 
{{Cheatsheet_Navigation_Body}}

Revision as of 00:10, 11 September 2017

Cheatsheets-header.jpg

Last revision (mm/dd/yy): 09/11/2017

Introduction

SQL Injection is one of the most dangerous web vulnerabilities. So much so that it's the #1 item in the OWASP Top 10. It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS. This cheat sheet is a derivative work of the SQL Injection Prevention Cheat Sheet.

Parameterized Query Examples

SQL Injection is best prevented through the use of parameterized queries. The following chart demonstrates, with real-world code samples, how to build parameterized queries in most of the common web languages. The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when building database queries within a web application.

Prepared Statement Examples

Stored Procedure Examples

The SQL you write in your web application isn't the only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities. To ensure this dynamic SQL is secure, you can parameterize this dynamic SQL too using bind variables. Here are some examples of using bind variables in stored procedures in different databases:

References


Authors and Primary Editors

Jim Manico - jim [at] owasp.org
Dave Wichers - dave.wichers [at] owasp.org
Neil Matatal - neil [at] owasp.org


Other Cheatsheets