Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Application Security and Development Security Technical Implementation Guide
SRG-APP-000251
The application must not be vulnerable to SQL Injection.
The application must not be vulnerable to SQL Injection.
An XCCDF Rule
Details
Profiles
Prose
The application must not be vulnerable to SQL Injection.
High Severity
<VulnDiscussion>SQL Injection is a code injection attack against database applications. Malicious SQL statements are inserted into an application data entry field where they are submitted to the database and executed. This is a direct result of not validating input that is used by the application to perform a command or execute an action. Successful attacks can read data, write data, execute administrative functions within the database, shutdown the DBMS, and in some cases execute OS commands. Best practices to reduce the potential for SQL Injection vulnerabilities include: Not using concatenation or replacement to build SQL queries. Using prepared statements with parameterized queries that have been tested and validated not to be vulnerable to SQL Injection. Using stored procedures that have been tested and validated not to be vulnerable to SQL Injection. Escaping all user supplied input. Additional steps to prevent SQL Injection can be found at the OWASP website: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>