How to prevent SQL injection attacks: A cheat sheet

SQL injection takes place when database software can't tell the difference between arbitrary data from the user and genuine commands from the application. When an attacker injects commands into the data they send to a database, they can take database control away from the application owner. This can lead to data corruption, leaks of confidential data, or the bypass of essential logic (e.g., authentication, authorization checks).

The good news is that you can prevent SQL injection attacks by using a special feature that allows database software to separate application commands from user-supplied data. You can also prevent untrusted user data from going directly to the database.

SQL injection cheat sheet

Let's look out onto a variety of actionable ways to prevent SQL injection attacks:

Identify SQL injection attack vectors for your application and database solution

• Check the National Vulnerability Database for known bugs in your chosen database solution.
• After selecting the database solution, analyze available safety features (e.g., parameterized queries). These allow the database to ignore any commands injected into data that the user supplies.
• Analyze the application's design to identify potential SQL injection attack vectors. Additionally, highlight data paths where commands containing tainted data may be re-used to attack queries that don't directly accept user data.

Develop SQL query best practices and protections

• Write a set of coding standards that anticipate and protect common use cases for SQL database queries.
• Develop and approve safe SQL query templates and make them available for developer use.
• Identify database use cases that are unique to your application. Also develop custom validation or query building code if parameterization queries aren't enough.
• Create or customize automated source code scanning tool rules to check for vulnerabilities as code is being written.

Educate developers about the SQL risks and protection methods

• Ensure that developers are familiar with application-specific threats and data sources.
• Provide developers with foundational training about the risks and general mitigations involving SQL injection.
• Specify coding standards and standard SQL query templates. Run training sessions on the standards and templates so that developers clearly understand how to use them.

Find problems in the code

• Perform automated testing to detect SQL injection vulnerabilities in the source code.
• Implement manual reviews to ensure that coding standards are followed when a SQL query appears in the code.

Test for SQL injection

• Build test cases that attempt to manipulate the database through SQL injection. Run those tests during the QA process.
• Run automated dynamic application scanning tools to further test for SQL injection.
• Bring in a third-party penetration tester. Provide them access to the design documents with which they can then perform white box testing.