Web Application Security Guide/SQL injection

From Wikibooks, open books for an open world
Jump to: navigation, search

SQL injection

An SQL injection vulnerability occurs if user input included in database queries is not escaped correctly. This type of vulnerability allows attackers to change database queries, which can allow them to obtain or modify database contents.

To prevent this type of attack

  • use prepared statements to access the database – or –
  • use stored procedures, accessed using appropriate language/library methods or prepared statements
  • Always ensure the DB login used by the application has only the rights that are needed

Rationale

Escaping input manually is error-prone and can be forgotten. With prepared statements, the correct escaping is automatically applied. This also avoids issues with different input interpretation (charset, null byte handling etc.) which can lead to hard-to-find vulnerabilities. Using a database login with limited access rights limits the impact of successful attacks.