300002 : SQL Injection

Risk 5 : Web Services

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

An attacker can use this vulnerability to read any information from the database that the web application has access to, to sometimes write new data to the database, and in some cases the attacker can gain full control over the system.

SQL injection occurs when user input is not properly encoded/filtered/properly typed prior to being used in a SQL statement. In order to fix this issue, the application developers must encode/filter/type data prior to being used. For example, if you have a value that is supposed to be an integer, typecast it as an integer. If you have a value that is supposed to be a string encode/filter any SQL command characters.


There are some built in functions for different languages that may handle some of the encoding for you. Please note that filtering will typically not prevent attacks that use poor typecasting as an attack vector (i.e. encoding a value that is not put inside of quotes will potentially still get through unless typecast).

In PHP you can use the mysql_real_escape_string() function. If you are using .Net please visit http://msdn.microsoft.com/en-us/library/ms998271.aspx. for generic code fixes.

ControlScan : 2009-12-04
New Search
Risk Factor
Start Date
End Date