Difference between revisions of "Query Parameterization Cheat Sheet"

From OWASP
Jump to: navigation, search
(Parameterized Query Examples)
m (Point to the official site)
 
(12 intermediate revisions by 4 users not shown)
Line 2: Line 2:
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
= Introduction  =
 
__TOC__{{TOC hidden}}
 
  
[[SQL Injection]] is one of the most dangerous web vulnerabilities. So much so that it's the [[Top_10_2013-A1|#1 item in the OWASP Top 10]].  It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS.  This cheat sheet is a derivative work of the [[SQL Injection Prevention Cheat Sheet]].
+
Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html Query Parameterization Cheat Sheet] to see the latest version of the cheat sheet.
 
 
= Parameterized Query Examples =
 
 
 
SQL Injection is best prevented through the use of [[SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29|''parameterized queries'']]. The following chart demonstrates, with real-world code samples, how to build parameterized queries in most of the common web languages. The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when building database queries within a web application.
 
 
 
{| class="wikitable nowraplinks"
 
|-
 
! Language - Library
 
! Parameterized Query
 
|-
 
| Java - Standard
 
 
String custname = request.getParameter("customerName");
 
String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; 
 
'''PreparedStatement pstmt = connection.prepareStatement( query );'''
 
'''pstmt.setString( 1, custname); '''
 
ResultSet results = pstmt.executeQuery( );
 
|-
 
| Java - Hibernate
 
|
 
//HQL
 
Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid");
 
safeHQLQuery.setParameter("productid", userSuppliedParameter);
 
 
 
//Criteria API
 
String userSuppliedParameter = request.getParameter("Product-Description"); // This should REALLY be validated too
 
// perform input validation to detect attacks
 
Inventory inv = (Inventory) session.createCriteria(Inventory.class).add
 
(Restrictions.eq("productDescription", userSuppliedParameter)).uniqueResult();
 
|-
 
| .NET/C#
 
|
 
String query = "SELECT account_balance FROM user_data WHERE user_name = ?";
 
try {
 
    OleDbCommand command = new OleDbCommand(query, connection);
 
    '''command.Parameters.Add(new OleDbParameter("customerName", CustomerName Name.Text));'''
 
    OleDbDataReader reader = command.ExecuteReader();
 
    // …
 
} catch (OleDbException se) {
 
    // error handling
 
}
 
|-
 
| ASP.NET
 
|
 
string sql = "SELECT * FROM Customers WHERE CustomerId = @CustomerId";
 
'''SqlCommand command = new SqlCommand(sql);'''
 
'''command.Parameters.Add(new SqlParameter("@CustomerId", System.Data.SqlDbType.Int));'''
 
command.Parameters["@CustomerId"].Value = 1;
 
|-
 
| Ruby - ActiveRecord
 
 
'''# Create'''
 
Project.create!(:name => 'owasp')
 
'''# Read'''
 
Project.all(:conditions => "name = ?", name)
 
Project.all(:conditions => { :name => name })
 
Project.where("name = :name", :name => name)
 
'''# Update'''
 
project.update_attributes(:name => 'owasp')
 
'''# Delete'''
 
Project.delete(:name => 'name')
 
|-
 
| Ruby
 
|
 
insert_new_user = db.prepare "INSERT INTO users (name, age, gender) VALUES (?, ? ,?)"
 
insert_new_user.execute 'aizatto', '20', 'male'
 
|-
 
| PHP - PDO
 
|
 
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
 
'''$stmt->bindParam(':name', $name);'''
 
'''$stmt->bindParam(':value', $value);'''
 
|-
 
| Cold Fusion
 
|
 
<cfquery name = "getFirst" dataSource = "cfsnippets">
 
    '''SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID ='''
 
    '''<cfqueryparam value = #intCourseID# CFSQLType = "CF_SQL_INTEGER">'''
 
</cfquery>
 
|-
 
| Perl - DBI
 
|
 
my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )";
 
'''my $sth = $dbh->prepare( $sql );'''
 
'''$sth->execute( $bar, $baz );'''
 
|}
 
 
 
The SQL you write in your web application isn't the only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities. To ensure this dynamic SQL is secure, you can parameterize this dynamic SQL too using bind variables. Here are some examples of using bind variables in stored procedures in different databases:
 
 
 
{| class="wikitable nowraplinks"
 
|-
 
! Language - Library
 
! Parameterized Query
 
|-
 
| Oracle - PL/SQL
 
|
 
Normal Oracle Stored Procedure - no dynamic SQL being created. Parameters passed in to stored procedure are naturally bound to their location within the query without anything special being required.
 
 
 
  PROCEDURE usp_SafeGetBalanceQuery(
 
    UserID varchar, Dept varchar) AS BEGIN
 
 
 
    SELECT balance FROM accounts_table WHERE user_ID = UserID AND
 
      department = Dept;
 
  END;
 
 
 
|-
 
| Oracle - PL/SQL
 
 
Stored Procedure Using Bind Variables in Dynamic SQL Run with EXECUTE IMMEDIATE. Bind variables are used to tell the database that the inputs to this dynamic SQL are 'data' and not possibly 'code'.
 
 
 
  PROCEDURE usp_AnotherSafeGetBalanceQuery(
 
    UserID varchar, Dept varchar) AS
 
    stmt VARCHAR(400); result NUMBER;
 
 
 
  BEGIN
 
    stmt := 'SELECT balance FROM accounts_table WHERE user_ID = :1
 
      AND department = :2';
 
    EXECUTE IMMEDIATE stmt INTO result USING UserID, Dept;
 
    RETURN result;
 
  END;
 
|}
 
 
 
= Authors and Primary Editors  =
 
 
 
Jim Manico - jim [at] owasp.org<br/>
 
Dave Wichers - dave.wichers [at] aspectsecurity.com<br/>
 
Neil Matatal - neil [at] owasp.org
 
 
 
== Other Cheatsheets ==
 
 
 
{{Cheatsheet_Navigation_Body}}
 
 
 
|}
 
 
 
[[Category:Cheatsheets]]
 

Latest revision as of 09:21, 15 July 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit Query Parameterization Cheat Sheet to see the latest version of the cheat sheet.