Query strings safe or not? [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 8 years ago.

Improve this question

I have read the posts about sql injection and there I saw that they use the query strings of sites to hack them. I want to know is it safe to use query strings or not and how to make my site stable against sql injection?

Answer 1

A sql injection usually comes from bugs in code that runs server side and submit sql queries to a database. Many bugs in the way you implement this can result to a sql injection. You can read values from a url, but before you plug these values to a sql query you should make some checking.

In order to answer to your question, query strings are safe the way you use the variables that are in them may be not.

As for making your site not vulnerable to them you should implement all your data access layer code (calling of stored procedures, of CRUD operations, of functions etc.) not vulnerable to them. For instance if you use queries, in which you pass parameterized variables then you can avoid a great deal of sql injections. Please take a look here

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Answer 2

If you build your SQL statements from untrusted data, such as query strings, then you are vulnerable to SQL injection.