Avoiding SQL injection vulnerabilities is much easier than you might think. XKCD inspired a simple tutorial. In Exploits of a Mom, XKCD #327 made a joke about an SQL injection exploit only a mother could love. I’m sure many of you had a good laugh at it the first time you encountered this at XKCD.
It is certainly true that SQL injection vulnerabilities seem to be more the rule than the exception, especially in the realm of PHP, ColdFusion, and ASP.NET content management systems. Considering how simple the rules are for avoiding SQL injection vulnerabilities, the frequency of such vulnerabilities is quite dismaying.
In case you’re too lazy, though, I will tell you the secret to avoiding SQL injection vulnerabilities right here. All you have to do is follow these two rules, quoted from the Bobby Tables guide:
Do not create SQL statements that include outside data.
Use parameterized SQL calls.
That’s it. That is all you need to do, and it is the only way to be sure. The Bobby Tables guide provides some code examples to help clarify the details.
To read the full story, visit http://www.zdnetasia.com/techguide/security/0,39044901,62058329,00.htm
