Offer "prepared statements" to prevent SQL-injection

273
0
01-14-2022 06:36 AM
Status: Open
Labels (1)
martinstoeckli
New Contributor II

Nowadays most developers are aware, that they have to use prepared statements or parametrized queries to mitigate SQL-injection attacks, this is especially important because more and more data is available online.

The concept of parametrized queries can be implemented by individual developers, by writing their own libraries, which escape the user input according to their data type, before entering them into an SQL string. If the SDK would offer such functionallity, this would be even better and probably safer, example:

 

SELECT * FROM users WHERE name = [owner]
➽ Variables: owner="O'Brian"
➽ Sent to database: SELECT * FROM users WHERE name = 'O''Brian'

 

The gold standard for security are prepared statements though, the SQL command and the user input are passed separately to the database, and the database never has to extract the user input from the SQL command, example:

 

SELECT * FROM users WHERE name = [owner]
➽ Variables: owner="O'Brian"
➽ Both, sql-command and variables sent to database

 

Most databases can handle prepared statements, but only when the SDK offers such functionallity, and passes the parameters to the database, developers can make use of it.