Help keep the world safe from SQL injection


A while back, I put up as a repository for showing people the right way to handle external data in their SQL calls. Whenever someone pops up on a mailing list or IRC and they're building SQL statements using external tainted data, you can just refer them to the site.

In the past few days, I've spiffed up the site (with design help from Jeana Clark) and added pages on Perl and PHP. I need more examples, though. It's 2010, and there's no reason anyone shouldn't know about parameterized SQL calls.

The site source is hosted on github, so if you have any contributions, please fork it and let me know about your applied changes, or you can email me directly.


P.S. In the next few days, I hope to fire up some redesign on, too.


This came up in my RSS feed with its title truncated: "Help keep the world safe from SQL". Now that's a cause I could get behind! I was so disappointed when I got here...

I notice that for every language, you only give code examples of how you are supposed to do it.

Except Python.

For Python only, you first give an example of what not to do, followed by the example of what you should do. Unless you're trying to sabotage Python-users, it might be a good idea to use a different color scheme for the "don't do this" section, rather than relying on people to notice that those three words actually precede that example.

I didn't find anywhere to comment on 'bobby-tables', nor an email address for you.

The Perl example uses do( $sql ), but that is only suitable for insert, update or delete, because do() returns the number of rows affected. The sql in the example is a select, trying to extract actual records.


Leave a comment

Job hunting for programmers

Land the Tech Job You Love, Andy Lester's guide to job hunting for programmers and other technical professionals, is available in PDF, ePub and .mobi formats, all DRM-free, as well as good old-fashioned paper.