Who is Bobby Tables?
School: Hi, this is your son's school. We're having some computer trouble.
Mom: Oh, dear -- Did he break something?
School: In a way. Did you really name your son Robert'); DROP TABLE Students;--
?
Mom: Oh. Yes. Little Bobby Tables we call him.
School: Well, we've lost this year's student records. I hope you're happy.
Mom: And I hope you've learned to sanitize your database inputs.
Examples
See the sidebar to the left for your specific language.
Other languages
This site's is available under a Creative Commons license and may be freely translated on other sites. Other sites:
Other resources
- SQL Injection Myths and Fallacies
- How to Write Injection-Proof SQL
- Defending Against SQL Injection Attacks
- Detecting Postgres SQL Injection
Patches welcome
Don't see a programming language that you'd like to see represented? Please let me know if you have updates or additions through one of these methods, in decreasing order of preference.
- Fork the bobby-tables repository at github, make your changes, and send me a pull request.
- Add an issue in the issue tracker.
- Email me, Andy Lester, at andy at petdance.com.
To do
- Explain why creating code from outside data is bad.
- Potential speed win when reusing prepared statements.
Thanks
Thanks to the following folks for their contributions:
- Alex Haible
- Richard Neill
- Kim Christensen
- Kirk Kimmel
- Nathan Mahdavi
- Hannes Hofmann
- Mike Angstadt
- Peter Ward
- David Wheeler
- Scott Rose
- Erik Osheim
- Russ Sivak
- Iain Collins
- Kristoffer Sall Hansen
- Jeff Emminger
- Travis Swicegood
- Will Coleda
- Kai Baesler
- Mike Markley
- Michael Schwern
- Jeana Clark
- Lars Dieckow
- Jani Hur
- Sven van Haastregt
- Andrey Chasovskikh
- Erwin Brandstetter
- Mariano Valles
- Deane Barker
- Pete Freitag
- Patrick Spek
- Jacob Walker
- Glenn Jenkins
- Dave Jacoby
- Adrian Lynch
- Paul Curry
- Mason McGlothlin
- Ramprakash R
- Dave Rolsky
- Zev Spitz
- Erik von Asmuth