Professional Documents
Culture Documents
SQL Injection Cheat Sheet PDF
SQL Injection Cheat Sheet PDF
SQL Injection
SQL Injection, or SQLi for short, is a type of web application security
vulnerability that exploits the database layer through rogue code
injection techniques.
(source: Trustwave).
SQL Injection attacks can occur when a web application utilizes user-supplied data
without proper validation or encoding as part of a command or query. This leaves an
opening for potential hacks or attacks as specially crafted user data can trick the
application into executing unintended commands or changing data. These commands
are then sent to the database server where they are executed. SQLi attacks are easily
preventable, yet most companies dont take precautions, subjecting themselves to
potentially damaging data breaches and their consequences.
Additional Resources:
Veracode resources on SQLi include:
SQL Injection Tutorial (video)
Anatomy of the Sony PlayStation
Network breach (infographic)
Data Mining a Mountain of Zero Day
Vulnerabilities (webinar)
Verizon Data Breach Investigative
Report 2012 highlights (blog)
Safe Coding and Software Security
(infographic)
1. Use prepared statements (aka parameterized queries). Simpler to write and easier
to understand than dynamic queries, parameterized queries pass in each parameter to
the query layer only after all SQL code has been defined. The database can distinguish
between code and data, regardless of user input. An attacker isnt able to change the
intent of a query, even if SQL commands are inserted.
2. Perform Input Validation. Authenticate user input against a set of defined rules for
length, type and syntax as well as against business rules as an additional query filter.
3. Escape all user supplied input, before putting it in a query. This is a cost-effective
way to retrofit legacy code and avoid performance issues, but an inferior approach when
writing new apps. Every DBMS supports one or more character escaping schemes
specific to certain kinds of queries, so use them. The DBMS will not confuse user input
with SQL code written by the developer, thus avoiding any possible SQLi.
4. Enforce least privilege. Minimize the privileges assigned to database accounts in
your environment. Start with no access rights and then determine case-by-case what
each requires. Some users will be fine with read-only access or limited views of the
data. Restrict an accounts ability to execute stored procedures. Create specific
accounts application by application. Rarely, if ever, grant the ability to create or delete
access to database accounts. Minimize privileges granted to the application itself, to
reduce the likelihood of unauthorized access.
5. Use stored procedures. This fix stores all SQL code in the database itself, then calls
it from the application. SQL code is defined first, and then parameters are passed after.
Avoid generating dynamic SQL inside stored procedures. If this cant be avoided, then
validate or properly escape all user supplied input to the dynamic query before its
constructed. Remove any and all stored procedures that are not in use.
For more details, consult the source: Open Web Application Security Project
SQL example: entering 0=0 as inputs will return all database records (source: Veracode)
String SQLQuery ="SELECT Username, Password FROM users WHERE Username="
+ Username +" AND Password=" + Password ="";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(SQLQuery);
while (rs.next()) { }
www.veracode.com
2012 Veracode, Inc.
All rights reserved.