Development Phase Checklist
Development Phase Checklist
During active development, follow these practices:
# Developer checklist implementation helper
class SQLInjectionPrevention:
"""Reference implementation for SQL injection prevention checklist"""
# Checklist Item 1: Always use parameterized queries
@staticmethod
def parameterized_query_example(user_id, status):
# ✓ CORRECT: Parameterized query
cursor.execute(
"SELECT * FROM users WHERE id = %s AND status = %s",
(user_id, status)
)
# ✗ WRONG: String concatenation
# query = f"SELECT * FROM users WHERE id = {user_id}"
# Checklist Item 2: Validate all input
@staticmethod
def input_validation_example(user_input):
# ✓ CORRECT: Comprehensive validation
if not isinstance(user_input, str):
raise ValueError("Input must be string")
if len(user_input) > 100:
raise ValueError("Input too long")
if not re.match(r'^[a-zA-Z0-9\s-]+$', user_input):
raise ValueError("Invalid characters in input")
return user_input.strip()
# Checklist Item 3: Use allowlists for dynamic queries
@staticmethod
def dynamic_query_example(table_name, column_name):
# ✓ CORRECT: Allowlist validation
allowed_tables = ['users', 'orders', 'products']
allowed_columns = ['id', 'name', 'created_at', 'status']
if table_name not in allowed_tables:
raise ValueError("Invalid table name")
if column_name not in allowed_columns:
raise ValueError("Invalid column name")
# Safe to use after validation
query = f"SELECT {column_name} FROM {table_name} WHERE active = %s"
cursor.execute(query, (True,))
# Checklist Item 4: Implement proper error handling
@staticmethod
def error_handling_example():
try:
# Database operation
result = db.query("SELECT * FROM users WHERE id = %s", (user_id,))
except DatabaseError as e:
# ✓ CORRECT: Log detailed error, return generic message
logger.error(f"Database error for user {user_id}: {str(e)}")
return {"error": "An error occurred processing your request"}
# ✗ WRONG: Expose database error to user
# return {"error": str(e)}