Search query dynamically created is unsafe
When you are creating the clauses, use PDO::quote on the $word variable before adding it to the string, it will sanitize and escape the value. Then you don't need to bindParam with shortwords, but you get the same functionality. something like this should work: if (!in_array($word,array('and','the','him','her','for','new','you'))){ $safe = $conn->quote('%'.$word.'%'); $shortwords.=...
Can't see how my code can be SQL injected but apparently it can? [duplicate]
(My implementation of MySQL uses # to denote comments, not //). Here is how a user could get all of your products, active or not: &scatid=1059' UNION ALL SELECT * from products # Or an even easier way: &scatid=1059' OR 1=1 # For each example, imagine what the query would...
Cfquery causing XSS and SQL Injection issues
coldfusion,xss,sql-injection,cfquery
You need to use <cfqueryparam>. Check the documentation at: https://wikidocs.adobe.com/wiki/display/coldfusionen/cfqueryparam Try something like this (you should change the CFSQLType to match whatever your DB columns are): <cfquery name="enter_question" datasource="#dsn#"> INSERT INTO xx_questions(q_id, q_name, q_narrative, q_used, q_type) VALUES( <cfqueryparam value="#variables.new_q_id#" CFSQLType="CF_SQL_INTEGER">, <cfqueryparam value="#form.q_name#" CFSQLType="CF_SQL_VARCHAR">, <cfqueryparam...
preventing sql injection in php [duplicate]
There is extensive information through simple Google searches that can guide you in the right direction. To start though: DON'T USE MYSQL_* FUNCTIONS These are deprecated and will generate warnings. They are not even remotely good practice for modern web development. USE A DATABASE LIBRARY INSTEAD like PDO or MySQLi....
How do I prevent MySQL Database Injection Attacks using vb.net?
mysql,.net,database,vb.net,sql-injection
MySQLCon.Open() Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@memberToAdd, @memberGamingTag, @memberRole)" COMMAND = New MySqlCommand(SQLADD, MySQLCon) COMMAND.Parameters.AddWithValue("@memberToAdd", memberToAdd.Text) COMMAND.Parameters.AddWithValue("@memberGamingTag", membersGamertag.Text) COMMAND.Parameters.AddWithValue("@memberRole", membersRole.Text) COMMAND.ExecuteNonQuery() memberToAdd.Text = "" membersGamertag.Text = "" membersRole.Text = "" MySQLCon.Close() MySQLCon.Dispose() You don't need to use...
SELECT and UPDATE rows at the query?
mysql,sql,security,sql-injection
I am not familiar with MySQL but from my SQL Server experience I can tell you that you cannot combine a SELECT and UPDATE statements both in a single query. Moreover - any modern database system should be smart enough to prevent you if you are trying to sneak in...
Can an SQL injection be made with a single word in a SELECT statement?
php,mysqli,sql-injection,sanitization
You can still exploit this using hex coding: stripping spaces is not enough. I guess this is a somewhat interesting place to start. But consider that preg_match()es are pretty bad for performance on high traffic sites. Prepared statements and parameterized queries are always the best way to prevent SQL injections....
Using PDO to avoid SQL injections - newbie
First, you can't mix mysqli and PDO. Second, the problem with your query is that you have 6 placeholders, but you're only filling in one of them when you call execute(). It should be: $sql->execute(array(':userid' => $userid, ':name' => $name, ':mobile' => $mobile, ':bilnr' => $billnr, ':regnr' => $regnr, ':username'...
Prevent this statement from SQL injection
java,sql,jdbc,prepared-statement,sql-injection
That query cannot fall into SQL injection. The queries that fall in this category are those queries that you build by plain String concatenation. For example: String query = "SELECT COUNT(*) FROM EZ_DAY WHERE colX = " + stringParameter; Statement stmt = con.createStatement(query); ResultSet rs = stmt.executeQuery(); In your case,...
detectecting destructive SQL queries with C#
c#,sql,asp.net,regex,sql-injection
You can do: if (badSqlList.Any(r => sqltext.IndexOf(r, StringComparison.InvariantCultureIgnoreCase) >= 0)) { //bad SQL found } IndexOf with StringComparison enum value will ensure case insensitive comparison. Another approach could be: return sqltext.Split() .Intersect(badSqlList,StringComparer.InvariantCultureIgnoreCase) .Any() Split your Sql on white space and then compare each word with your white list array. This...
Need information on SQL Injection in ASP.Net MVC 4
sql,asp.net,asp.net-mvc-4,sql-injection
As a rule of a thumb: Aways cast the values (provided through Request) to concrete type which are you using in the application logic. If you are using ORM/ODM to access the data storage you recieve built in SQL injection protection :). This tool may be examins only the the...
In what does prepared SQL statement differ from htmlspecialchars converted GET variable?
php,security,mysqli,sql-injection
Parameterised queries are a database feature; the database itself offers an API to take the query and its data separately. This leaves zero chance of anything going wrong*. Compare that to any string encoding/slicing/replacing operation you do in PHP, in the end you'll still be sending one long string to...
SQL injection and JPA
It is still subject to SQL injection; for example (*): SELECT ac.password FROM AccountInfo ac WHERE ac.userId = 'x'; could be switched to SELECT ac.password FROM AccountInfo ac WHERE ac.userId = 'inexistentId' or ac.userType = 'administrator' (*) Yes, storing plain text passwords is also wrong to begin with, it is...
Strip-tags vs htmlentities vs other. Which has the better security in php?
javascript,php,sql,security,sql-injection
You have it confused. strip_tags() should only be used when you want to remove HTML tags from a block of text. It shouldn't be applied on a user-input password. For example, if your user had a password hello<there>, it would strip away <there> and the password then would just be...
How to pass columns as parameters in dynamic sql - C#, sql server compact
c#,sql-server-ce,sql-injection,dynamic-sql,string.format
This is the only possible approach, and there is no risk of injection with SQL Server Compact, as that database engine only executes a single statement per batch.
How they works: DB-Connect and SQL Injection?
php,mysql,include,sql-injection,dbconnection
How the foreach stops SQL injection? This is really really important, so I'm going to say it very loudly in the hope that people might understand… IT DOESN'T! "Why not?", I hear you ask. Well, my young padawan, that is because: It only escapes strings Let's imagine a website...
WordPress SQL Injection URL parameter
Nope. That's raw PHP you've got there. You'll have to make it safe yourself. As long as all you're doing with $prtmr is printing it out you don't need to worry about SQL injection, just XSS attacks....
Prevent SQL Injection in Livecode
LiveCode does sanitisation and uses parameters in queries as described here. So, if you are building your query like this, LiveCode is not helping, and you do need to escape your own query: get revDataFromQuery(tab, return, gConnectionID, "SELECT * FROM users WHERE email LIKE '%" & theSearchString & "%'") However,...
SQL injection vulnerability magically fixing itself?
Your sanitize function fails to escape the string properly when an added backslash happens to be at the last position of the allowed string length. Suppose that we only want to have strings up to 5 instead of 500 characters and that $_POST['welcome_text'] contains 4 As and one single quote:...
PHP Prepared statement login
php,mysql,login,passwords,sql-injection
Use // it will be an array('name' => 'John', 'password_hash' => 'abcd') // or FALSE if user not found $storedUser = $query->fetch(PDO::FETCH_ASSOC); instead of $username = $query->fetchColumn(1); $pw = $query->fetchColumn(2); Because fetchColumn moves cursor of result. So first call extracts 1 column of first row, and second call will extract...
does XSS filtering in codeigniter doesn't prevent SQL injections?
php,sql,codeigniter,sql-injection
First of all, both topics are not specific to CodeIgniter. But CodeIgniter has specific way to handle some of this. Please read https://ellislab.com/codeigniter/user-guide/general/security.html Remember that CodeIgniter will not save you from any of these and you must understand how both of these attacks works. It is important to understand these...
SQL Injection who should handle it? [closed]
security,sql-injection,separation-of-concerns
Only the code that actually talks to the database (i.e. System B) should be concerned with protecting against SQL injection (typically, just by using bound parameters). Anything at a higher level is not in a position to effectively protect against SQL injection - it won't actually know what kind of...
Mysql real escape [closed]
The problem is that you aren't using it... Make this change. <?php $address = mysql_real_escape_string($_POST['bitcoinaddress']); $btc = mysql_real_escape_string($_POST['btcamount']); $phone = mysql_real_escape_string($_POST['phonenumber']); $con = mysql_connect("localhost","db user","password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("db_name", $con); $sql="INSERT INTO `db_name`.`form` (`bitcoinaddress`, `btcamount`, `phonenumber`) VALUES ('".$address."','".$btc."','".$phone."')"; if...
Safe way to open cursor with dynamic column name from user input
sql,sql-injection,plpgsql,dynamic-sql,postgresql-9.4
This would work: SELECT tst('f1'); The problem you are facing: format() interprets parameters concatenated with %I as one identifier. You are trying to pass a table-qualified column name that consists of two identifiers, which is interpreted as "t1.f1" (one name, double-quoted to preserve the otherwise illegal dot in the name....
Is it possible to install malicious code with a SQL injection attack
sql-server,security,sql-injection
Yes, SQL server can execute master..xp_cmdshell command which executes windows command line operations, allowing further taking over the server and installing things on it. SQL Server also supports C# code embedding. I would take the server for forensics analysis if its important, or delete it altogether if it's not.
How to avoid SQL injection and other security failure in JavaFX desktop application
SQL Injection attacks are related to malicious statements deliberately sent by the end user to the database, while JavaFX is the front-end from a user's point of view. That said, let's assume you have a login screen to input user and password. Could you prevent the user to type one...
Simple Linq Security
c#,sql,asp.net,xss,sql-injection
Well, this is where it helps to know something about the implementation of LINQ-to-SQL you are using. I would imagine that every implementation would by default escape arguments to the LINQ extension methods, but never hurts to double-check. In general, you want there to always be a middle-man sitting between...
Effective protection function against SQL injection
php,mysql,sql,sql-injection,sanitization
The short answer is that it's not safe at all. Here's what's wrong with it... You're checking get_magic_quotes_gpc, which has been removed from PHP for years You're using htmlentities to encode the string if magic quotes is on, but not if it's off (way to corrupt your data) Why are...
Preventing SQL injection in a report generator with custom formulas
sql-server,sql-injection,sql-server-2014
not really - many injections involve comments (to comment out the rest of the regulare statment) so you could check for comments (-- and /*) and the ; sign (end of statment). On the other side if you allow your users to put anything into the filters - why should...
How to prepare statement with mysqli for select query
How about this? $category = "Acoustic"; $sql = "SELECT * FROM products WHERE Category = ? ORDER BY RAND()"; $stmt = $DB->prepare($sql); $stmt->bind_param('s', $category); $stmt->execute(); $row_AcousticDB = $stmt->get_result(); // altenative: $stmt->bind_result($row_AcousticDB); $row_AcousticDB->fetch_array(MYSQLI_ASSOC) If you let the user enter any data (in text boxes on website) or you pull anything out...
Could somebody please explain Prepared statements? [closed]
Read up on them here http://php.net/manual/en/pdo.prepared-statements.php. Prepared statements don't escape characters, but they separate them from the SQL query they're attached to. You'll still want to escape any user-submitted data when you're outputting. When making SQL queries, however, prepared statements are a much more effective way of avoiding SQL injections....
Issue about XSS Attack and SQL Injection
php,security,mysqli,xss,sql-injection
The SQL stuff is fine, parameterised queries are the best-practice approach to prevent SQL injection. The approach to XSS is... a bit weird. HTMLPurifier is of use where you want to allow the user to input limited HTML markup. That can be reasonable for formattable freetext fields (like I'm guessing...
PDO insert not working
php,mysql,database,pdo,sql-injection
you have to binfd parameter after the query not before $DATA = $con->prepare("INSERT INTO users (ip) VALUES ( :ip )"); $DATA->bindValue(':ip', $ip , PDO::PARAM_STR); // if ip column is string $DATA->execute(); some ref...
What are the best ways to prevent SQLInjection in CodeIgniter [duplicate]
The best way to do is Open the file config.php file location application/config make the following code to true |-------------------------------------------------------------------------- | Global XSS Filtering |-------------------------------------------------------------------------- | | Determines whether the XSS filter is always active when GET, POST or | COOKIE data is encountered | */ $config['global_xss_filtering'] = FALSE; to...
PHP / MySQLi: How to prevent SQL injection on INSERT (code partially working)
php,mysql,mysqli,sql-injection,sql-insert
In the New PHP code snippet, you are still vulnerable to injections. You are using a prepared statement in the insert part, but you are not actually using the preparations strengths correctly. When creating a prepared statement, you create a query in which you add placeholders instead of the raw...
Safety from SQL injection
sql,sql-server,c#-4.0,sql-injection
In short, the answer is no. You need to always use parameters in your queries. SqlCommand com = new SqlCommand("select * from hs where ac between @ac1 and @ac2 and [email protected]", con); You then add the parameters to your SqlCommand object (com)....
bind_param() only necessary on user-inputted values or all?
php,mysql,sql,sql-injection,bindparam
Technically you're not at risk if you don't prepare data that's not coming from user input. However, it's strongly advised to do so for a couple of reasons: If you forget to prepare any user input data somewhere, there's a chance this user injected something miscellaneous into a data row...
Is the @Query annotation in spring SQL Injection safe?
java,spring,sql-injection,spring-annotations
It looks like Spring Data's @Query is just a wrapper around JPA See this SO answer: Are SQL injection attacks possible in JPA?...
How can I use the Like Operator with a Parameter in a SQLite query?
c#,sqlite,sql-injection,like-operator,query-parameters
The wildcard % should be added to the parameter value, not to the parameter name const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName"; using (SQLiteConnection con = new SQLiteConnection(HHSUtils.GetDBConnection())) { con.Open(); SQLiteCommand cmd = new SQLiteCommand(qry, con); cmd.Parameters.Add(new SQLiteParameter("@wtName", tableName + "%")); siteNum = Convert.ToInt32(cmd.ExecuteScalar()); }...
Prevent SQL Injection when the table name and where clause are variables
Without knowing further details, there are several options you have in order to avoid SQL injections attacks or at least to minimize the damage that can be done: Whitelisting is more secure than blacklisting: Think about whether you really need access to all the tables except the blacklisted ones. If...
nvarchar holding “integer” value - not reporting error while converting - SQL injection
mysql,sql,sql-server,sql-injection
You could concatenate a non-numeric string, such as convert(int,(select top 1 'id:' + id from customer))-- And if you're looking for what's in an int field, cast it to varchar(10) and then concatenate with non-numeric string. But don't use this for evil......
prevent sql injection attack in dynamic query grails
You could use usual named parameters: if(params.pAddress!=""){ whereQuery += " and ins.address= :address" compareQuery.address = address def check=InstitutionStudent.executeQuery ("SELECT ins FROM InstitutionStudent ins WHERE ins.institution=:inst and ins.address=:address" ,[inst:inst, address:address]) } ...
Preventing SQL Injection by using Bound Paramaters / Prepared Statements
java,android,android-sqlite,sql-injection,android-cursor
Modified query string (here you set the parameter placeholders): String selectionClause = Events.DTSTART + " = ? AND " + Events.DTEND + " = ? AND " + Events.TITLE + " = ?"; Then pass the parameters as a string array (will replace the placeholders, respecting the **same order*): Cursor...
Is the Jira feature 'JQL' (Jira Query Language) a threat for the security of my Jira installation?
If you are not logged in to the server, your query will not be executed and you will get no results. Unless the JIRA instance has been specifically set up to allow anonymous viewing of issues, such as jira.atlassian.com JQL is a separate language from SQL and does not suffer...
SQL Injection in FROM clause with SqlBuilder [closed]
c#,sql,sql-server,sql-injection
I don't know what SqlBuilder is, but here's an example of exploiting an injection: Suppose you have a code that does: var myFullQuery = string.Format("SELECT * FROM {0} WHERE A = 1", externalInput); and then executes this against the database. If a malicious user sent this string as an input:...
Safe code for SQL Injection using mysql_*
Try not using mysql_* code. If you have beginning of the project rewrite all code to mysqli or PDO. (PDO is better.) If you want to use mysql_* use mysql_real_escape_string in all input field. You can read more Here...
mssql_escape saves double apostrophe
php,sql,sql-injection,apostrophe
Because you are using a parameterised statement there is no need to double up the single quotes. This is the right way of doing things and is generally safe from SQL Injection attacks.
SQL Injection - is it possible when the variable is processed using intval()?
No because intval will always just be a number. The same goes for (int).
Is this code in a stored procedure sql-injectible
sql,stored-procedures,sql-injection
No, As long as you are using it as shown the worst any one can do is enter characters of significance in the like syntax such as % or [0-9]. It would be a SQL injection risk if you concatenated it into a string that you then executed but it...
Explain how order clause can be exploited in Rails
sql,ruby-on-rails,sql-injection
If you are trying to determine the value of a field you know is in the table, but not being returned in the select you could iterate over it in the order by, until you get the value: ORDER BY CASE WHEN variableIdLikeToDiscover < 'N' then 1 else 0 end...
How to use SQL parameters with IF conditions and what datatype is equal to the NVARCHAR. OLeDB, VB.NET
sql-server,vb.net,parameters,sql-injection
My answer to your first question that I think this is the list of equal data-types you want: SQL Server | OLEDB (ADO => ad+...) -----------+--------------- char | Char nchar | WChar varchar | VarChar nvarchar | VarWChar text | LongVarChar ntext | LongWVarChar ...
How this SQL injection works? Explanation needed
sql,ruby-on-rails,ruby,sql-injection
The simplest Explanation i can give for what SQL injection is: This may make a SQL query like the following: SELECT * FROM Order WHERE name = 'Dan' AND pay_type = 'po' Now a nice user would supply the name Dan like above. But an evil user (let's call him...
User Input Check Before Insert to Database
Looks like your AdoHelper class is currently vulnerable to SQL injection. In order to avoid that you need to use parametrized queries. So I would start by refactoring this AdoHelper class so that it suits better those needs: public class AdoHelper { private static string connectionString = ConfigurationManager.ConnectionStrings["SQL_DB"].ConnectionString; public static...
SQL-injection in PHP, how is it possible to send non-escaped quote to server?
php,mysql,escaping,sql-injection
You could have Magic Quotes on. What version of PHP are you running? Magic Quotes were deprecated in 5.3 and removed in 5.4 but they default to ON when present. Magic Quotes will automatically escape quotes, but you really shouldn't rely on it. You should turn it off and use...
Results are empty with $wpdb->prepare statement
php,mysql,wordpress,sql-injection,wpdb
you added the parentheses in the wrong place, it needs to be after your variables. $results = $wpdb->get_results($wpdb->prepare($sql,$category,$comp)) or die($wpdb->print_error()); ...
Why is this SQL injection 'sleep' attack an effective denial of service?
Not sure on the ettiquette here but I just wanted to mark this as solved with the help of PM77-1's comment here Basically the SLEEP(5) happens for every record since the conditional must be evaluated for each. In my test table, I only had one record, so I could not...
How safe $mysqli->real_escape_string for controlling one select query that accept user input
This is safe. If you dont feel safe, it only has characters and integers, you can easily test it is a md5 string (see example below). But again, there is no need for all of that. An alternative would be prepared statements. They're a bit more complex, but safe: $stmt...
How to avoid SQL Injection with Update command in Npgsql?
database,postgresql,sql-injection,npgsql
As @tadman says, you should never use string concatenation to compose your query - that is the source of SQL injection. However, there's no need to prepare your statement. Use parameter placeholders in your query, something like the following should work: string UpdateCmd = "update dx set chronic = @p1...
Is this sanitization unsafe? Is it vulnerable to SQL Injection?
Here is my try. The problem with vulnerabilities is that they are not that direct as most users think. In reality, production code grows slightly different from the artificial, totally controlled example. So, here not technological, but methodological vulnerabilities are coming into the scene. I made a vast effort researching...
Preventing Redshift SQL Injection
java,postgresql,sql-injection,mybatis,amazon-redshift
(Given that you cannot do it the correct way because of restrictions in Redshift): On PostgreSQL with standard_conforming_strings set to on all you need to do is double quotes, making ' into ''. That's it. Backslashes aren't significant unless standard_conforming_strings is off or you use an E'' string. If either...
The most important web application vulnerabilities [closed]
security,web,xss,sql-injection
@elsadek suggestion is good. This is a partial answer to your big question. Some of what comes to mind is below but hte list is not enclusive by any means...): 1-Injection (SQL and/or JSON pair injection) 2-Cross site scripting (XSS) 3-Broken Authentication & Session Management 4-Insecure Direct Object Reference 5-Cross...
Using substring in Rails query the safe way
mysql,ruby-on-rails,ruby,rails-activerecord,sql-injection
Use Post.attribute_names to take columns of Post model then just check that columns contains your field_name and raise error if it doesn't contains.
Is SQL Injection Possible even on Prepared Statement [Java][Mysql]
java,mysql,sql-injection,penetration-testing
This query : String query = "SELECT * FROM Users WHERE username=? and password=?"; is safe, because whatever the parameters can be, it will still be executed as a simple select. At most, it will end browsing a whole table. But prepared statement is just a tool and (bad) programmers...
In prepared statement is setString() the only useful method to prevent SQL injection?
java,jdbc,prepared-statement,sql-injection
It is quite simple, most databases prepare the statement separately from sending the parameters and executing the statement. It is this separation of statement and parameters that actually provide the protection against SQL injection (in contrast to manually escaping and concatenating strings in a query). The format these parameters are...
Rails brakeman warning of sql injection
sql,ruby-on-rails,ruby,sql-injection,brakeman
After some kind of research here is what I would use. There is a method called sanitize_sql_array (ref), you can use it to escape statements by passing an sql string and replacement values to it like: sanitize_sql_array(['user_id = :user_id', user_id: 5]) # => "user_id = 5" If we'd pass a...
Slim framework - php - how prevent injections?
php,android,security,sql-injection,slim
I suggest you to use some existing ORM like Doctrine or Eloquent. Then you don't have to worry so much about user input as they are doing all hard work for you. If you still want to use native php functions, don't use mysql_connect() as it's deprecated. Use mysqli_connect() instead....
Purpose of web app input validation for security reasons
validation,security,xss,sql-injection,code-injection
Yes you are generally correct. A piece of data is only dangerous when "used". And it is only dangerous if it has special meaning in the context it is used. For example, <script> is only dangerous if used in output to an HTML page. Robert'); DROP TABLE Students;-- is only...
Is this SQL query, injection safe
With the parameter you will be saved from SQL Injection, If some SQL is injected in the POLYGON string, it will error out at SQL Server end. So for example if you have : POLYGON(12.33 12.55,13.55; DROP TABLE students;) SQL server will try to construct a geometry type based on...
How to handle the SQL injection response for best practice
c#,asp.net,security,sql-injection
the back-end program will auto return the data of id=1 information to client side. IMO, this is a lame behavior for the backend. I'd say the page should detect the error and redirect the user to an error page. Nevertheless, based on that description it is not a valid...
Why do so many password tutorials, after hashing a password, use “mysql_real_escape_string”?
php,security,hash,sql-injection,mysql-real-escape-string
The Internet is full of chimpanzees That's the main reason why it is always mentioned. In these tutorials, where only raw PHP without even grain of abstraction is used, it's indeed superfluous. However, in fact, in a real application mysql_real_escape_string or equivalent have to be applied. Not the way it...
How to check if PHP string is valid as a query parameter or not
php,mysql,sql-injection,mysql-real-escape-string
Is there a way to add to my "validate_against_sql" function that checks first if the parameter is already valid as a query parameter No. In fact, if one were used here, you were unable to post your question, as it contains supposedly "invalid" double escaped string. Means there is...
C# avoid SQL Injection in a function
c#,sql,sql-server,sql-injection
Each time you use an input provided by a user to generate an SQL statement, you open the door to SQL injection. The only way to avoid sql injection is by using parameters. The first function is safe but the second one may be vulnerable to sql injection if you...
Laravel - SQL injection prevention with {{{ }}}
forms,laravel,input,sql-injection
No you understood the {{{ }}} wrong. They escape the output. So if you do {{{ Form::text('name') }}} The result is this: <input name="test" type="text"> It still generates HTML code but it gets escaped so it's not interpreted as HTML but as plain text Preventing SQL injection You have to...
Ensure that a string is not an sql command
c#,.net,security,sql-injection
The correct way to avoid SQL injection is through parameterized queries, which actually encode any values that wouldn't fit properly into the SQL context they're being injected into. Supposing there's a vast bulk of legacy code that you know is vulnerable to SQL injection, you could still try checking for...
Why does using parameterized queries or entity framework prevent sql injection?
c#,sql,entity-framework,sql-injection,sql-parametrized-query
Your first example is parameterised and is not vulnerable to SQL injection. Parameterised queries aren't simply replaced by the server with values (like you might do manually replacing @var with value). They are sent and received exactly as you sent it.. with @valueFromApplication. The server will parse the query.. and...
Which statement is better and more secure for SQL Injection?
Only first one prevents SQL Injection attacks. You don't use any prepared statements and parameterized sql in your second or third example. I can send them 18; DROP TABLE tblTableName in your age variable. Creating html-encoded string with HttpUtility.HtmlEncode method doesn't help either. Also don't use AddWithValue method. It may...
Detect SQL injections in the source code
python,sql,security,sql-injection,static-code-analysis
There is a tool that tries to solve exactly what the question is about, py-find-injection: py_find_injection uses various heuristics to look for SQL injection vulnerabilities in python source code. It uses ast module, looks for session.execute() and cursor.execute() calls, and checks whether the query inside is formed via string interpolation,...
Can one prevent SQL injection by customizing # — /**/ tags and ; DELIMITER?
mysql,sql,sql-server,sql-injection
Even if such a change were possible (which it's not, unless you fork the MySQL source code and compile your own—not feasible with SQL Server) and would cause some injections to fail, it wouldn't catch them all. Let's imagine a PHP-driven website through which users can view their medical records....
Securing a static SQL query from SQL Injection
java,mysql,prepared-statement,sql-injection,fortify
If you don't alter the SQL statements read from your file based on user input, then there is no SQL injection. On the other hand, if you don't have tight control over what can end up in this file (who can edit it?), then the whole program is a huge...
SQL injection and prepared statement, when does it get overkill?
php,mysqli,prepared-statement,sql-injection
Yes, you are going to far using PDO. PDO is only used for parameters, and not for tables or operators. Use your second query. http://php.net/manual/en/pdostatement.bindparam.php does not indicate that tables and operators are allowed, and I recall testing this a while back, and found that they are not. Binds a...
PHP: While loop not working after adjusting SELECT for SQL injection prevention
php,mysql,select,sql-injection,associative-array
You cannot bind column and table names, only data. You need to specify the table and then bind for your '%calendar weekday%'. $stmt = $conn->prepare("SELECT " . $selectLang . " FROM `TranslationsMain` WHERE `location` LIKE ? ORDER BY `sortOrder`, " . $selectedLang); $stmt->bind_param('s', $calendar_weekday); ...
SQL Server Stored Procedure And SQL Injection
sql,sql-server,sql-server-2012,sql-injection,sql-insert
As for the stored procedures themselves. The first has no opportunity for SQL injection, because there is no dynamic SQL. The third has no opportunity for SQL injection, because the use of sp_executesql compiles the query with parameters and then inserts the values of parameters. The compilation logically happens before...
How to prevent SQL injection in PhalconPHP when using sql in model?
You should bind the query parameter to avoid an SQL injection. From what I can remember Phalcon can be a bit funny with putting the '%' wildcard in the conditions value so I put them in the bind. This would be better than just filtering the query. $tags = Tags::find(array(...
Is merging variables safe against SQL injection?
Your method is safe. Concatenation before insertion, while using prepared statements, doesn't matter. The prepared statement will prepare that entire $text value as a whole string for insertion - which is still separate from the query itself.
Allow user to enter SQL select statement in web application disabling updates
I would do the following: In your database create a user that only been granted SELECT privileges on the tables that you want the user to be accessible to. In your server, use a separate data source using the read only user from above for the queries issued from the...
Omitting bindParam with PDO is safe?
php,mysql,security,pdo,sql-injection
This is still binding the values to a prepared statement. You are doing the same thing as if you were using the bindParam function. So the answer is yes it is just as safe. bindParam just allows for more functionality than simply binding with the execute function for example: $sth=$dbh->prepare("Select...
SQL Injection flaw
You've exposed a public method which can be accessed by any code that allows any SQL expression to be executed. I would look at changing that method to being internal or private instead so that not just any code can call that method....
What kind of Database is this and could be sql injection?
I just call them and they tell me 'we use mysql'. Is that correct? It's possible they use both MySQL and SQL Server at their site. Not likely -- but possible. I think it's more likely that they simply made a mistake. I have heard a few IT people...
Can you show examples of SQL Injection on this code?
With your code it's very easy to modify conditions of an SQL query. I can easily get ALL the clients, by making that condition is always true: http://localhost/inject.php?email=Client 1' OR '1'='1 I can even read details from another table: http://localhost/inject.php?email=Client 1' UNION SELECT * FROM articles WHERE '1' = '1...
How can I use a parameterized query to search on a column by its name?
This is trying to help keep you safe from bad args (prevent things like SQL injection) but isn't designed to do replacement on anything other than a value. You want it to insert a table name. Unfortunately for you the code is aware of col's type (string) and quotes it...
Embed DML/DDL as subquery?
sql,oracle,security,sql-injection
No. That's not possible. However, maybe they can enter two statements, which are executed after each other. If the first part is a harmless select, they could end it (using a semicolon), and add another, harmful statement. Whether this will work at all depends on the way that statement is...
Rails - how to protect against sql injection for a postgres find_by_sql query?
sql,ruby-on-rails,postgresql,sql-injection,rails-activerecord
First of all, you might want to use a %Q{...} string and some formatting in your SQL to avoid an unreadable mess: Pick.find_by_sql(%Q{ WITH cte1 AS ( SELECT DISTINCT user_id, state, pick FROM picks WHERE id IN (#{pick_ids}) ), cte2 AS ( SELECT user_id, coalesce(sum(amount_won), 0) as picks_total_won FROM picks...
Why does this MySQL query spill over to the next line
mysql,sql-update,syntax-error,sql-injection
MySQL allows writing a literal ' within a string literal quoted with ' by two consecutive '': There are several ways to include quote characters within a string: A “'” inside a string quoted with “'” may be written as “''”. […] So the '' immediately after the opening '...
SQL injection without single quotes
This SELECT must be passed as a Scalar Subquery enclosed in parentheses. If date is simply concatenated with text then setting it to ' || (SELECT password FROM users WHERE username='admin') || ' results in INSERT INTO data_table VALUES ([other values], '' || (SELECT password FROM users WHERE username='admin') ||...