![]() ![]() Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker. ![]() This coding style allows the database to distinguish between code and data, regardless of what user input is supplied. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. They are simple to write, and easier to understand than dynamic queries. The use of prepared statements with variable binding (aka parameterized queries) is how all developers should first be taught how to write database queries. Primary Defenses ¶ Defense Option 1: Prepared Statements (with Parameterized Queries) ¶ String query = "SELECT account_balance FROM user_data WHERE user_name = " + request. Unfortunately, this method for accessing databases is all too common. The unvalidated "customerName" parameter that is simply appended to the query allows an attacker to inject any SQL code they want. The following (Java) example is UNSAFE, and would allow an attacker to inject code into the query that would be executed by the database. SQL injection flaws typically look like this:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |