Cheat Sheet for SQL Injection Prevention - owasp.org - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Programming > Programming Tips and FAQ
Click Here to Login
Reply
 
Thread Tools Display Modes
 
Old 07-24-2012, 09:05 AM   #1 (permalink)
It's all just 1s and 0s
 
office politics's Avatar
 
Join Date: Jan 2004
Location: in the lab
Posts: 6,555
Send a message via MSN to office politics
Default Cheat Sheet for SQL Injection Prevention - owasp.org

link:

SQL Injection Prevention Cheat Sheet - OWASP

quoted:

Introduction
This article is focused on providing clear, simple, actionable guidance for preventing SQL Injection flaws in your applications. SQL Injection attacks are unfortunately very common, and this is due to two factors:

1.the significant prevalence of SQL Injection vulnerabilities, and
2.the attractiveness of the target (i.e., the database typically contains all the interesting/critical data for your application).
Itís somewhat shameful that there are so many successful SQL Injection attacks occurring, because it is EXTREMELY simple to avoid SQL Injection vulnerabilities in your code.

SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either: a) stop writing dynamic queries; and/or b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query.

This article provides a set of simple techniques for preventing SQL Injection vulnerabilities by avoiding these two problems. These techniques can be used with practically any kind of programming language with any type of database. There are other types of databases, like XML databases, which can have similar problems (e.g., XPath and XQuery injection) and these techniques can be used to protect them as well.

Primary Defenses:

Option #1: Use of Prepared Statements (Parameterized Queries)
Option #2: Use of Stored Procedures
Option #3: Escaping all User Supplied Input
Additional Defenses:

Also Enforce: Least Privilege
Also Perform: White List Input Validation
office politics is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Preventing SQL Injection with Parameterized Queries - msdn.com office politics Programming Tips and FAQ 0 04-17-2010 03:57 PM
The Bobby Tables guide to SQL injection office politics Programming Tips and FAQ 0 09-23-2009 10:28 AM
Mass SQL injection hits English language websites Osiris Viruses, Spyware and Malware 0 05-21-2008 09:59 AM
SQL Injection Osiris Tips, Tricks & Tutorials 0 08-31-2007 12:55 PM
SQL Injection office politics Programming 0 12-13-2005 02:38 PM


Our Communities

Our communities encompass many different hobbies and interests, but each one is built on friendly, intelligent membership.

» More about our Communities

Automotive Communities

Our Automotive communities encompass many different makes and models. From U.S. domestics to European Saloons.

» More about our Automotive Communities

Marine Communities

Our Marine websites focus on Cruising and Sailing Vessels, including forums and the largest cruising Wiki project on the web today.

» More about our Marine Communities


Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 04:29 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.