A guide to preventing SQL injection

SQL injection: still one of the more common exploits against web applications, and yet it is one of the easier ones to guard against. Unfortunately, bad tutorials often teach newbie developers bad habits that enable injection attacks, rather than using more secure methods of interacting with databases.

Yes, PHP often gets a lot of flak for this, as its status as an introductory languages makes for a greater number of subpar coders and introductory tutorials, but SQL injection is by no means a “PHP thing.” Actually, there are probably more resources warning about SQL injection for PHP than other languages…

Wouldn’t it be useful if there was one resource you could point people to in order to explain SQL injection and show some examples of best practices in their language of choice? has examples of safe methods to handle database interaction in several languages, including PHP, Python, C#, Ruby and Java. Plus, it gets bonus points for referencing the relevant XKCD comic. (There really is one for every occasion, isn’t there?)

  • Andy Lester

    Thanks for the link and the article. My hope is that will be the canonical source that we point people at to say “This is the right way to deal with preventing SQL injection.”

    • Matt

      The funny/sad part is that it’s often easier, or at least cleaner-looking, to do it the right way. Like in the Python example. :/