Over a million developers have joined DZone.

Defence in Depth, Part 4: Validate Everything, Parameterize SQL Queries

DZone's Guide to

Defence in Depth, Part 4: Validate Everything, Parameterize SQL Queries

In this article, we discuss two ways that developers can make sure their applications are more secure, and will not fall victim to attacks like SQL Injection.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Trust No One, Validate Everything

Unfortunately, most vulnerabilities at the application layer can't simply be patched by applying an update. In order to fix web application vulnerabilities, software engineers often need to correct mistakes within the application code. It is, therefore, ideal for software engineers to understand the security risks associated with user input. At the end of the day, all user input should be considered unsafe.

By never trusting the user, and validating every input, an application can be built to be more secure and more robust. This applies to any injection vulnerabilities such as SQL injection and cross-site scripting, but it also applies to vulnerabilities that would allow an attacker to bypass authentication, or request a file they should never be allowed to see.

Parameterize SQL Queries

While encrypting database tables and restricting access to a database server are valid security measures, building an application to withstand SQL injection attacks is a crucial web application defense strategy.

SQL injection is one of the most widely spread and most damaging web application vulnerabilities. Fortunately, both the programming languages, as well as the RDBMSs themselves have evolved to provide web application developers with a way to safely query the database - parameterized SQL queries.

Parameterized queries are simple to write and understand while forcing a developer to define the entire SQL statement before hand, using placeholders for the actual variables within that statement. A developer would then pass in each parameter to the query after the SQL statement is defined, allowing the database to be able to distinguish between the SQL command and data inputted by a user. If SQL commands are inputted by an attacker, the parameterized query would treat the input as a string as opposed to a SQL command.

Application developers should avoid sanitizing their input by means of escaping or removing special characters (several encoding tricks an attacker could leverage to bypass such protections) and stick to using parameterized queries in order to avoid SQL injection vulnerabilities.

Rest of the Series

  1. Defense in Depth and How it Applies to Web Applications
  2. Defense in Depth, Part 2: Security Before Obscurity
  3. Defense in Depth, Part 3: The Least Privilege Principle

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,sql queries ,sql injection ,web application security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}