Confirmed users
491
edits
WebAppSec/Secure Coding Guidelines: Difference between revisions
WebAppSec/Secure Coding Guidelines (view source)
Revision as of 00:39, 20 January 2011
, 20 January 2011→Preventing SQL Injection
| Line 212: | Line 212: | ||
===Preventing SQL Injection=== | ===Preventing SQL Injection=== | ||
* String concatenation to build any part of a SQL statement with user controlled data creates a SQL injection vulnerability. | * String concatenation to build any part of a SQL statement with user controlled data creates a SQL injection vulnerability. | ||
* Parameterized queries are | * Parameterized queries are a guaranteed approach to prevent SQL injection. | ||
* It's not realistic to always know if a piece of data is user controlled, therefore parameterized queries should be used whenever a method/function accepts data and uses this data as part of the SQL statement. | |||
Further Reading: [http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQL Injection Prevention Cheat Sheet] | Further Reading: [http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQL Injection Prevention Cheat Sheet] | ||