Who is Bobby Tables?
School: Hi, this is your son's school. We're having some computer trouble.
Mom: Oh, dear -- Did he break something?
School: In a way. Did you really name your son Robert'); DROP TABLE Students;--?
Mom: Oh. Yes. Little Bobby Tables we call him.
School: Well, we've lost this year's student records. I hope you're happy.
Mom: And I hope you've learned to sanitize your database inputs.
Examples
See the sidebar to the left for your specific language.
Other resources
- SQL Injection Myths and Fallacies
- How to Write Injection-Proof SQL
- Defending Against SQL Injection Attacks
- Detecting Postgres SQL Injection
Patches welcome
Don't see a language that you'd like to see represented? Please let me know if you have updates or additions through one of these methods, in decreasing order of preference.
- Fork the bobby-tables repository at github, make your changes, and send me a pull request.
- Add an issue in the issue tracker.
- Email me, Andy Lester, at andy at petdance.com.
Translations also welcome
Help translate this site! There are less than 200 phrases. No programming necessary.
See the instructions at the bobby-tables repository at github.
To do
- Explain why creating code from outside data is bad.
- Potential speed win when reusing prepared statements.
Thanks
Thanks to the following folks for their contributions:
- Kim Christensen
- Kirk Kimmel
- Nathan Mahdavi
- Hannes Hofmann
- Mike Angstadt
- Peter Ward
- David Wheeler
- Scott Rose
- Erik Osheim
- Russ Sivak
- Iain Collins
- Kristoffer Sall Hansen
- Jeff Emminger
- Travis Swicegood
- Will Coleda
- Kai Baesler
- Mike Markley
- Michael Schwern
- Jeana Clark
- Lars Dɪᴇᴄᴋᴏᴡ
- Jani Hur
- Sven van Haastregt
- Andrey Chasovskikh
- Erwin Brandstetter
