I have provided an answer for Python... please flesh this by helping cover their good examples for other languages.

Never trust user input, never trust client input whatsoever, client side sanitation work is useless, it does not take much sophistication to gain access to your internet application directly. Always perform sanitation server-side, don't even make use of client-side sanitation, it's a total waste of effort. You will find a few techniques which are helpful for staying away from SQL injection attacks, I'll range from least preferred to many preferred.

  • 3: Custom-Written Value Sanitation. Avoid writing your personal sanitation programs whenever possible except when it is absolutely your best option remaining (that is most unlikely in a modern language). Input sanitation is really a hard problem, and also the costs of setting it up wrong are huge. It is best to leave that job to another person. When you're instructed to depend about this method use whitened-listing instead of black-listing to sanitize input.

  • 2: Framework / Library Based Value Sanitation. Leave the sanitation programs towards the domain experts. Sanitation programs in first party frameworks and libraries are usually produced through the same people who authored the DB or even the SQL API. There is a much greater possibility of knowing, and correctly handling, all the edge cases than you need to do. A good example of this method could be using php's mysql_escape_string() function to sanitize values that'll be placed into strings that function as dynamic SQL claims.

  • 1: Parameter Binding. (also known as prepared claims) Rather than creating a SQL statement like a raw string including user data as with-place literal values, produce a SQL statement with tokens in which the user data could be. Then bind the consumer provided data towards the appropriate parameters. The important thing here is this fact binds the provided data to some specific type along with a specific use and removes any chance to alter the logic from the SQL statement. This can be along with library based input sanitation too.

Here's a good example in C# (Java and Python have similar benefits, see a few of the other solutions):

SqlCommand userInfoQuery = new SqlCommand(

    "Choose id, title, email FROM customers WHERE id = @UserName",


SqlParameter userNameParam = userInfoQuery.Parameters.Add("@UserName",

    SqlDbType.VarChar, 25 /* max period of area */ )

// userName is a few string valued user input variable

userNameParam.Value = userName

While using Python DB API, avoid this:

cmd = "update people set title='%s' where id='%s'" % (title, id)


rather, do that:

curs.execute('update people set title=:1 where id=:2', [title, id])

If you are using .Internet, there is a pretty comprehensive article on staying away from SQL Injection on MSDN: http://msdn.microsoft.com/en-us/library/ms161953(loband).aspx

But, much like Wargames, the easiest method to win the SQL Injection game isn't to experience. Avoid using SQL strings - make use of an OR/M tool like LINQ to SQL, SubSonic, NHibernate, etc. Any popular OR/M (like individuals I pointed out) uses parameterized queries along with other safeguards to avoid SQL Injection.

The venerable Joel Spolsky authored a fascinating article for this kind of factor. Should you haven't see clearly yet, have a look at Making wrong code look wrong.

Obviously the greater method is always to always employ parameterized queries or any other built-in language features if at all possible.

in case your DB enables them, saved methods might help reduce the chance of sql injection.