Code Review on SQL Injection

A1  Injection(SQL Injection)

The main reason for the cause of SQL Injection vulnerabilities..

1. SQL commands are not protected from the untrusted input. SQL parser is not able to distinguish between 

The issue is this coding technique does not tell the parser which part of the statement is code and which part is data. This allows the attacker to modify the SQL statement by adding code to the data that was visible from the web site for the attacker to manipulate. 

What to Review 

1. Always validate user input by testing type, length, format, and range.

 2. Test the size and data type of input and enforce appropriate limits. 

3. Test the content of string variables and accept only expected values. Reject entries that contain binary data, escape sequences, and comment characters.

 4. When you are working with XML documents, validate all data against its schema as it is entered.
 5. Never build SQL statements directly from user input.

 6. Use stored procedures to validate user input, when not using stored procedures use SQL API provided by platform. i.e. Parameterized Statements.

 7. Implement multiple layers of validation. 

8. Never concatenate user input that is not validated. String concatenation is the primary point of entry for script injection. 

9. You should review all code that calls EXECUTE, EXEC, any SQL calls that can call outside resources or command line.

Source :- OWASP Code Review Guide V2.0