search

A3:2021 | SQL Injection Mitigation (1) | Cycubics Docs

hashtag
Immutable Queries

These are the best defense against SQL injection. They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.

hashtag
Static Queries

SELECT * FROM products;
SELECT * FROM users WHERE user = "'" + session.getAttribute("UserID") + "'";

hashtag
Parameterized Queries

String query = "SELECT * FROM users WHERE last_name = ?";
PreparedStatement statement = connection.prepareStatement(query);
statement.setString(1, accountName);
ResultSet results = statement.executeQuery();

hashtag
Stored Procedures

Only if stored procedure does not generate dynamic SQL.

hashtag
Immutable Queries

These are the best defense against SQL injection. They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.

hashtag
Static Queries

hashtag
Parameterized Queries

hashtag
Stored Procedures

Only if stored procedure does not generate dynamic SQL.

PreviousA3:2021 | Injection | SQL Injection Mitigation | Cycubix DocsNextA3:2021 | SQL Injection Mitigation (2) |

Last updated

Was this helpful?