gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
63fc21f702d53e35f5f11d917f10c7fe121d8219
freeCodeCamp/guide/english/security/query-parameterization/index.md
Mrugesh Mohapatra da0df12ab7 fix(guide): simplify directory structure
2018-10-16 21:32:40 +05:30

2.8 KiB
Raw Blame History

title
title
Query Parameterization

Query Parameterization

A common mistake when connecting your program to a database is to accept a user's input and apply it directly to the database without checking it first. This is a dangerous habit to get into, and you may hear more experienced developers warning others to "sanitize input" or "parameterize queries".

Let's start with a short example demonstrating the problem:

(the following snippets are written in C# for MySQL, but the concept applies to any language and database)

The Problem

public void RetrieveEmployeeInfo(string username)
{
    using (var connection = new MySqlConnection("valid_connection_string"))
    {
        var query = "SELECT * FROM EMPLOYEES WHERE USERNAME = '" + username + "'";

        using (var command = new MySqlCommand(query, connection))
        {
            var reader = command.ExecuteReader();
            while (reader.Read())
            {
                // do something with the results of your query, like display the employee
            }
        }
    }
}

At first glance, that might seem fairly harmless. If the user types "JDOE" into your program, and it's passed to this function, you'll end up executing a query like this:

SELECT * FROM EMPLOYEES WHERE USERNAME = 'JDOE';

The problem becomes more apparent when you consider what happens if the user doesn't type what you expect. What if they type something like JDOE'; DROP TABLE EMPLOYEES; --? Your "query" string now looks like this, which will select the employee info, then delete the entire EMPLOYEES table!

SELECT * FROM EMPLOYEES WHERE USERNAME = 'JDOE'; DROP TABLE EMPLOYEES; --'

The Solution

To prevent issues like this, we can parameterize our queries. Let's look at another example:

public void RetrieveEmployeeInfo(string username)
{
    using (var connection = new MySqlConnection("valid_connection_string"))
    {
        var query = "SELECT * FROM EMPLOYEES WHERE USERNAME = @username";

        using (var command = new MySqlCommand(query, connection))
        {
            command.Parameters.AddWithValue("username", username);
                    
            var reader = command.ExecuteReader();
            while (reader.Read())
            {
                // do something with the results of your query, like display the employee
            }
        }
    }
}

Now what happens if the user types in JDOE'; DROP TABLE EMPLOYEES; --? Our program ends up executing a query like this one and, finding no employee whose username actually matches that input, simply returns no records.

SELECT * FROM EMPLOYEES WHERE USERNAME = 'JDOE\'; DROP TABLE EMPLOYEES; --'

No matter which language or database you're using, if you consider querying the database using user input, check the documentation for the proper way to parameterize queries.