Data Management

The Bobby Tables guide to SQL injection

Avoiding SQL injection vulnerabilities is much easier than you might think. A comic from XKCD inspired a simple tutorial.

In Exploits of a Mom, XKCD #327 made a joke about an SQL injection exploit only a mother could love:

Click through to see the comic at xkcd.com. The TechRepublic column width is narrower than the full-size comic.

I'm sure many of you had a good laugh at it the first time you encountered this at XKCD (I have no illusions that many of my readers wouldn't follow XKCD). It is certainly true that SQL injection vulnerabilities seem to be more the rule than the exception, especially in the realm of PHP, ColdFusion, and ASP.NET content management systems. Considering how simple the rules are for avoiding SQL injection vulnerabilities, the frequency of such vulnerabilities is quite dismaying.

A number of guides to understanding -- and protecting yourself against -- SQL injection are available on the Web. Quite a large number of them, actually. A few examples include:

I can't vouch for all of those. I have not read most of them, because there isn't really a lot one needs to read. When I recently ran across the Bobby Tables guide to SQL injection, however, I was intrigued by the XKCD connection. I gave it a read, and found it was short, sweet, and clear. It covers the bases. In short, if you don't already know how to avoid SQL injection vulnerabilities in your own code, it's definitely worth a read.

In case you're too lazy, though, I will tell you the secret to avoiding SQL injection vulnerabilities right here. All you have to do is follow these two rules, quoted from the Bobby Tables guide:

  • Do not create SQL statements that include outside data.
  • Use parameterized SQL calls.

That's it. That is all you need to do, and it is the only way to be sure. The Bobby Tables guide provides some code examples to help clarify the details.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

4 comments
millerjwm
millerjwm

All of the links in the article lead me to the Tech Republic error page.

Tony Hopkinson
Tony Hopkinson

where external input is involved. :p Two aspects to why this is still widely prevalent. There are still way too many how to examples like this Execute('Select * From SomeTable Where SomeField = \'' + TextBox1.text + '\'') On google There is an ongoing perception that is OK for an internal CRUD application. I must confess I do build a lot of sql strings, and I have to stop myself when it's user input, hard habit to break...

apotheon
apotheon

Do you need to make some changes to your code now? Are you as annoyed as I am with Web applications like WordPress, yet?

apotheon
apotheon

I have no idea how that happened, but it has been fixed. Thanks for pointing it out.

Editor's Picks