The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Most databases and application development platforms provide APIs for han-

dling untrusted input in a secure way which prevents SQL injection vulnera-

bilities from arising. In parameterized queries (also known as prepared

formed in two steps:

1. The application specifies the structure of the query, leaving placehold-

ers for each item of user input.

2. The application specifies the contents of each placeholder.

Crucially, there is no way in which crafted data that is specified at the sec-

ond step can interfere with the structure of the query specified in the first step.

Because the query structure has already been defined, the relevant API han-

dles any type of placeholder data in a safe manner, and so it is always inter-

preted as data rather than part of the statement’s structure.

The following two code samples illustrate the difference between an 

unsafe query dynamically constructed out of user data, and its safe parame-

terized counterpart. In the first, the user-supplied 

name

ded directly into a SQL statement, leaving the application vulnerable to SQL

injection:

//define the query structure

String queryText = “select ename,sal from emp where ename =’“;

//concatenate the user-supplied name

queryText += request.getParameter(“name”);

queryText += “‘“;

// execute the query

stmt = con.createStatement();

rs = stmt.executeQuery(queryText);