Difference between revisions of "Query Parameterization Cheat Sheet (Hawaiian Pidgin English)"

From OWASP
Jump to: navigation, search
(to to foa)
(Authors and Primary Editors)
 
Line 164: Line 164:
 
* OWASP [[SQL Injection Prevention Cheat Sheet]]
 
* OWASP [[SQL Injection Prevention Cheat Sheet]]
  
= Authors and Primary Editors  =
+
= Translators =
  
 
Jim Manico - jim [at] owasp.org<br/>
 
Jim Manico - jim [at] owasp.org<br/>
[[User:Wichers|Dave Wichers - dave.wichers]] [at] aspectsecurity.com<br/>
+
Jeremiah Grossman
Neil Matatal - neil [at] owasp.org
+
  
 
== Other Cheatsheets ==
 
== Other Cheatsheets ==

Latest revision as of 08:52, 7 July 2014

Cheatsheets-header.jpg

Last revision (mm/dd/yy): 07/7/2014

Introduction

'Ey, Howzit? One SQL Injection is da moddah of all web vulnerabilities. Fo' real! So much so that it's da #1 item in da OWASP Top 10. It represents a serious threat because SQL Injection allows evil attacker code foa change da structure of a web application's SQL statement in a way that can steal data, modify data, or potentially facilitate command injection foa da underlying OS. Dis cheat sheet is a derivative work of da SQL Injection Prevention Cheat Sheet. Mahalos yeah fo' checking out dis place. Shoots!

Parameterized Query Examples

SQL Injection is best prevented through the use of parameterized queries. Da following chart demonstrates, with real-world code samples, how foa build parameterized queries in most of da common web languages. Da purpose of these code samples is foa demonstrate foa da web developer how foa avoid SQL Injection when building database queries within a web application.

Prepared Statement Examples

Stored Procedure Examples

Da SQL you write in your web application isn't da only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities. To ensure dis dynamic SQL is secure, you can parameterize dis dynamic SQL too using bind variables. Here are some examples of using bind variables in stored procedures in different databases:

References

Translators

Jim Manico - jim [at] owasp.org
Jeremiah Grossman

Other Cheatsheets

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets