OWASP Developer Guide

Secure Database Access Checklist

4.2.3 Checklist: Secure Database Access

Ensure that access to all data stores is secure, including both relational databases and NoSQL databases.

Refer to proactive control C3: Secure Database Access for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.

Secure queries

  • Use Query Parameterization to prevent untrusted input being interpreted as part of a SQL command
  • Use strongly typed parameterized queries
  • Utilize input validation and output encoding and be sure to address meta characters
  • Do not run the database command if input validation fails
  • Ensure that variables are strongly typed
  • Connection strings should not be hard coded within the application
  • Connection strings should be stored in a separate configuration file on a trusted system and they should be encrypted

Secure configuration

  • The application should use the lowest possible level of privilege when accessing the database
  • Use stored procedures to abstract data access and allow for the removal of permissions to the base tables in the database
  • Close the database connection as soon as possible
  • Turn off all unnecessary database functionality
  • Remove unnecessary default vendor content, for example sample schemas
  • Disable any default accounts that are not required to support business requirements

Secure authentication

  • Remove or change all default database administrative passwords
  • The application should connect to the database with different credentials for every trust distinction (for example user, read-only user, guest, administrators)
  • Use secure credentials for database access


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.