Description
SQL injection is a type of attack where malicious SQL queries are inserted into input data, allowing attackers to manipulate the database. Successful exploitation can lead to data theft, modification of database records, unauthorized access, and even control over the entire database management system (DBMS).
Recommendation
Prevent SQL injection by using prepared statements or parameterized queries instead of concatenating user input into SQL queries directly. If prepared statements are not feasible, ensure proper input validation and sanitization. Employ whitelists to restrict user input wherever possible.
References
- OWASP: SQL Injection
- OWASP: ESAPI project
- Wikipedia: Prepared statement
- CWE-20
- CWE-89
- CAPEC-66
- OWASP 2021-A3
Related Issues
- Blind SQL Injection - Vulnerability
- Possible SQL Injection - Vulnerability
- Joomla! Component Com_cbcontact 'contact_id' SQLI - Vulnerability
- Joomla! Component Com_rsgallery2 2.0 'catid' SQLI - Vulnerability
- Tags:
- SQL Injection
- Database
- Injection
Anything's wrong? Let us know Last updated on May 13, 2024