Who is Bobby Tables?
From the comic strip xkcd
School: "Hi, this is your son's school. We're having some computer trouble."
Mom: "Oh, dear -- Did he break something?"
School: "In a way. Did you really name your son Robert'); DROP TABLE Students;-- ?"
Mom: "Oh. Yes. Little Bobby Tables we call him."
School: "Well, we've lost this year's student records. I hope you're happy."
Mom: "And I hope you've learned to sanitize your database inputs."
(Alt-text: "Her daughter is named Help I'm trapped in a driver's license factory.")
How to avoid Bobby Tables
There is only one way to avoid Bobby Tables attacks
- Do not create SQL statements that include outside data.
- Use parameterized SQL calls.
That's it. Don't try to escape invalid characters. Don't try to do it yourself. Learn how to use parameterized statements. Always, every single time.
The strip gets one thing crucially wrong. The answer is not to "sanitize your database inputs" yourself. It is prone to error.
Examples
See the sidebar to the left for your specific language.
Other random resources
- http://www.schneier.com/blog/archives/2008/10/how_to_write_in.html
- http://st-curriculum.oracle.com/tutorial/SQLInjection/
Patches welcome
Don't see a language that you'd like to see represented? Please let me know if you have updates or additions through one of these methods, in decreasing order of preference.
- Fork the bobby-tables repository at github, make your changes, and send me a pull request.
- Add an issue in the issue tracker.
- Email me, Andy Lester, at andy at petdance.com.
To do
- Explain why creating code from outside data is bad.
- Potential speed win when reusing prepared statements.
Thanks
Thanks to the following folks for their contributions:
- Erik Osheim
- Russ Sivak
- Iain Collins
- Kristoffer Sall Hansen
- Jeff Emminger
- Travis Swicegood
- Will Coleda
- Kai Baesler
- Mike Markley
- Michael Schwern
- Jeana Clark
