The Bobby Tables guide to SQL injection
Tuesday, October 06, 2009 11:16 AM
Avoiding SQL injection vulnerabilities is much easier than you might think. XKCD inspired a simple tutorial.
In Exploits of a Mom, XKCD #327 made a joke about an SQL injection exploit only a mother could love. I'm sure many of you had a good laugh at it the first time you encountered this at XKCD.
It is certainly true that SQL injection vulnerabilities seem to be more the rule than the exception, especially in the realm of PHP, ColdFusion, and ASP.NET content management systems. Considering how simple the rules are for avoiding SQL injection vulnerabilities, the frequency of such vulnerabilities is quite dismaying.
A number of guides to understanding--and protecting yourself against--SQL injection are available on the Web. Quite a large number of them, actually. A few examples include:
I can't vouch for all of those. I have not read most of them, because there isn't really a lot one needs to read. When I recently ran across the Bobby Tables guide to SQL injection, however, I was intrigued by the XKCD connection.
I gave it a read, and found it was short, sweet, and clear; it covers the bases. In short, if you don't already know how to avoid SQL injection vulnerabilities in your own code, it's definitely worth a read.
In case you're too lazy, though, I will tell you the secret to avoiding SQL injection vulnerabilities right here. All you have to do is follow these two rules, quoted from the Bobby Tables guide:
- Do not create SQL statements that include outside data.
- Use parameterized SQL calls.
That's it. That is all you need to do, and it is the only way to be sure. The Bobby Tables guide provides some code examples to help clarify the details.
Chad Perrin is an IT consultant, developer and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.
There are currently no comments for this post.