Avoiding SQL injection vulnerabilities is much easier than you might think. A comic from XKCD inspired a simple tutorial.
In Exploits of a Mom, XKCD #327 made a joke about an SQL injection exploit only a mother could love:
Click through to see the comic at xkcd.com. The TechRepublic column width is narrower than the full-size comic.
I'm sure many of you had a good laugh at it the first time you encountered this at XKCD (I have no illusions that many of my readers wouldn't follow XKCD). It is certainly true that SQL injection vulnerabilities seem to be more the rule than the exception, especially in the realm of PHP, ColdFusion, and ASP.NET content management systems. Considering how simple the rules are for avoiding SQL injection vulnerabilities, the frequency of such vulnerabilities is quite dismaying.
A number of guides to understanding -- and protecting yourself against -- SQL injection are available on the Web. Quite a large number of them, actually. A few examples include:
- Unixwiz SQL Injection Attacks by Example
- SQL Injection Cheat Sheet
- SecuriTeam SQL Injection Walkthrough
- OWASP SQL Injection
- MSDN SQL Injection
I can't vouch for all of those. I have not read most of them, because there isn't really a lot one needs to read. When I recently ran across the Bobby Tables guide to SQL injection, however, I was intrigued by the XKCD connection. I gave it a read, and found it was short, sweet, and clear. It covers the bases. In short, if you don't already know how to avoid SQL injection vulnerabilities in your own code, it's definitely worth a read.
In case you're too lazy, though, I will tell you the secret to avoiding SQL injection vulnerabilities right here. All you have to do is follow these two rules, quoted from the Bobby Tables guide:
- Do not create SQL statements that include outside data.
- Use parameterized SQL calls.
That's it. That is all you need to do, and it is the only way to be sure. The Bobby Tables guide provides some code examples to help clarify the details.