Use Safe Database Query Methods
Software should use parameterised queries or stored procedures to safely access databases.
Plain language
When software needs to access a database, it's crucial to use safe methods like parameterised queries or stored procedures. Doing this prevents hackers from manipulating your database with harmful queries. If you don't, you risk exposing sensitive business or customer data, which can lead to financial and reputational harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Parameterised queries or stored procedures, instead of dynamically generated queries, are used by software for database interactions.
Why it matters
Not using parameterised queries or stored procedures can enable SQL injection, leading to unauthorised data access, data loss, and service disruption.
Operational notes
Review application code and ORM usage to ensure all SQL uses parameterised queries or stored procedures; test for SQL injection in CI and during releases.
Implementation tips
- Database administrators should ensure all software uses parameterised queries instead of building database queries from scratch. This can be achieved by teaching developers how to use programming libraries and frameworks that support this feature.
- IT teams need to review all software that interacts with the database to confirm it uses stored procedures for data access. Stored procedures should be developed and tested to handle expected data and scenarios, reducing the risk of unexpected database commands.
- Software developers should work with database specialists to convert existing database access code into parameterised queries or stored procedures. This involves identifying parts of code where database queries are created, then refactoring these to use secure methods.
- Project managers should schedule regular training sessions for developers on secure coding practices, including the use of parameterised queries. Practical workshops are effective, focusing on real examples where input validation reduces risks.
- Management should enforce a policy where new software or updates must be reviewed by a security expert before being deployed. This ensures every piece of software adheres to the best practices in accessing databases safely.
Audit / evidence tips
-
Askthe list of applications that interact with databases
-
Goodis code that makes use of libraries known for their secure query capabilities
-
Askpolicy documents regarding database access methods. Look to see if there's a clear mandate to use parameterised queries and stored procedures
Goodsign is a policy with detailed procedures and examples, approved and up to date
-
Asktraining records regarding secure database access methods
-
Askto see logs or records of software changes related to database access
Goodis a detailed change log reflecting conscious updates to secure interactions
Cross-framework mappings
How ISM-1276 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-1276 requires a specific secure implementation pattern for database access: parameterised queries or stored procedures instead of dyn... | |
| Annex A 8.28 | ISM-1276 requires software to use parameterised queries or stored procedures (rather than dynamically generated queries) for database int... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.