Database injection

Software uses a framework for database queries? Yes / No

One of the most common web application vulnerabilities is a database injection attack. Developers are allowed to write queries by hand without properly sanitizing input going into the queries.

In most cases, the database is SQL based, providing an opportunity for SQL injections. This can be easily prevented by never constructing database statements by hand and by always using a framework to construct the queries so that all values are properly escaped. Manual SQL manipulation should be prevented by the application developers so that no room is left for human error.

Applies for: Everyone

Related incidences:

• Sebastian

Links:

• SQL injection in Wikipedia
• SQL injection in OWASP
• PCI DSS v3.1 requirement 6.5.1
• SQL injection hall of shame
• Exploits of Mom (XKCD)