Update SQL_Injection_Prevention_Cheat_Sheet.md

lint cleanup
OWASP · Nov 20, 2023 · 9a3c4e0 · 9a3c4e0
1 parent 8706fb4
commit 9a3c4e0
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md b/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md
@@ -53,7 +53,7 @@ If your database encoder is missing, please let us know.
 - **Also: Enforcing Least Privilege**
 - **Also: Performing Allow-list Input Validation as a Secondary Defense**
 
-**Anatomy of A Typical SQL Injection Vulnerability**
+## Anatomy of A Typical SQL Injection Vulnerability
 
 A common SQL injection flaw in Java is below. Because its unvalidated "customerName" parameter is simply appended to the query, an attacker can enter SQL code into that query and the application would take the attacker's code and execute it on the database.
 
@@ -77,7 +77,7 @@ When developers are taught how to write database queries, they should be told to
 If database queries use this coding style, the database will always distinguish between code and data, regardless of what user input is supplied.
 Also, prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.  
 
-**Safe Prepared Statement in Java**
+#### Safe Prepared Statement in Java
 
 In the safe Java example below, if an attacker were to enter the userID of `tom' or '1'='1`, the parameterized query would look for a username which literally matched the entire string `tom' or '1'='1`. Thus, the database would be protected against injections of malicious SQL code.
 
@@ -104,7 +104,7 @@ Occasionally, prepared statements can harm performance. If this occurs, you shou
 
 ```
 
-**Safe C\# .NET Prepared Statement**:
+#### Safe C\# .NET Prepared Statement
 
 In .NET, the creation and execution of the query doesn't change. Just pass the parameters to the query using the `Parameters.Add()` call as shown below.
 
@@ -132,7 +132,7 @@ Query safeHQLQuery = session.createQuery("from Inventory where productID=:
 safeHQLQuery.setParameter("productid", userSuppliedParameter);
 ```
 
-**Other Examples of Safe Prepared Statements**
+#### Other Examples of Safe Prepared Statements
 
 If you need examples of prepared queries/parameterized languages, including Ruby, PHP, Cold Fusion, Perl, and Rust, see the [Query Parameterization Cheat Sheet](Query_Parameterization_Cheat_Sheet.md) or this [site](http://bobby-tables.com/).
 
@@ -152,7 +152,7 @@ Occasionally, stored procedures can increase risk when a system is attacked. For
 
 However, stored procedures require execute rights, a role that is not available by default. Some setups where the user management has been centralized, but is limited to those 3 roles, cause all web apps to run under db_owner rights so stored procedures can work. Naturally, that means that if a server is breached the attacker has full rights to the database, where previously they might only have had read-access.
 
-**Safe Java Stored Procedure Example**:
+#### Safe Java Stored Procedure Example
 
 The following code example uses Java's implementation of the stored procedure interface (`CallableStatement`) to execute the same database query. The `sp_getAccountBalance` stored procedure has top be predefined in the database and use the same functionality as the query below.
 
@@ -169,7 +169,7 @@ try {
 }
 ```
 
-**Safe VB .NET Stored Procedure Example**:
+#### Safe VB .NET Stored Procedure Example
 
 The following code example uses a `SqlCommand`, .NET's implementation of the stored procedure interface, to execute the same database query. The `sp_getAccountBalance` stored procedure must be predefined in the database and use the same functionality as the query defined above.
 
@@ -189,7 +189,7 @@ The following code example uses a `SqlCommand`, .NET's implementation of the sto
 
 If you are faced with parts of SQL queries that can't use bind variables, such as the names of tables or columns as well as the sort order indicator (ASC or DESC), input validation or query redesign is the most appropriate defense. When names of tables or columns are needed, ideally those values come from the code and not from user parameters.
 
-**Sample Of Safe Table Name Validation**
+#### Sample Of Safe Table Name Validation
 
 WARNING: If user parameter values are used for targeting different table names and column names, this is a symptom of poor design and a full rewrite should be considered if time allows. If that is not possible, developers should map the parameter values to the legal/expected table or column names to make sure unvalidated user input doesn't end up in the query.