sql-injection

Catching SQL Injection and other Malicious Web Requests

I am looking for a tool that can detect malicious requests (such as obvious SQL injection gets or posts) and will immediately ban the IP address of the requester/add to a blacklist. I know, I know, the code should be able to handle such requests accordingly but there is still value in such a tool even when the site is safe from such at...

What is the best way to avoid SQL injection attacks?

I've provided a solution for Python... please flesh this out with examples for other languages. ...

When is it Best to Sanitize User Input?

User equals untrustworthy. Never trust untrustworthy user's input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then sanitize it whenever it is accessed/used, or do you sanitize the input immediately and then store this "cleaned" version? Maybe there are als...

Inform potential clients about security vulnerabilities?

We have a lot of open discussions with potential clients, and they ask frequently about our level of technical expertise, including the scope of work for our current projects. The first thing I do in order to gauge the level of expertise on staff they have now or have previously used is to check for security vulnerabilities like XSS and ...

Best way to stop SQL Injection in PHP

So specifically in a mysql database. Take the following code and tell me what to do. // connect to the mysql database $unsafe_variable = $_POST["user-input"]; mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')"); // disconnect from the mysql database ...

How do I programatically sanitise coldfusion cfquery parameters.

I have inherited a large legacy coldfusion app. There are hundreds of <cfquery>some sql here #variable#</cfquery> statements that need to be parameterized along the lines of: <cfquery> some sql here <cfqueryparam value="#variable#"/> </cfquery> How can I go about adding parameterization programatically? I have thought about writing so...

Is there some way to inject SQL even if the ' character is deleted?

If from an SQL query I remove all the ' characters, is there some other way to do an SQL injection attack on the database? How can it be done? Can anyone give me examples? ...

Penetration testing tools

We have 100s of websites which were developed in asp, .net and java... and we are paying lot of money for an external agency to do a penetration testing for our sites to check for security loop holes. Are there any (good) software (paid or free) to do this? or.. are there any tehnical articles which can help me develop this tool. ...

binding variables to parameters in ADOdb for PHP

does binding variables to parameters in ADOdb for PHP prevent SQL injection in any way? I thought ADOdb also did data sanitation or escaping within the same functionality by default. Or am I just confusing it with Code Igniter's built-in processes? ...

What should you do when coming across a publicly accessible security vulnerability?

I was browsing and came across a rather back-end state-government site that's vulnerable to SQL injection. (Searching for a ' yielded an error, and I toyed around with it until I got a list of tables.) I know the proper thing to do is to alert the webmaster of the problem, but I've had bad luck simply sending an email. I've done this ...

Handling the data in an IN clause, with SQL parameters?

We all know that prepared statements are one of the best way of fending of SQL injection attacks. What is the best way of creating a prepared statement with an "IN" clause. Is there an easy way to do this with an unspecified number of values? Take the following query for example. SELECT ID,Column1,Column2 FROM MyTable WHERE ID IN (1,...

Parameterized SQL Columns?

I have some code which utilizes parameterized queries to prevent against injection, but I also need to be able to dynamically construct the query regardless of the structure of the table. What is the proper way to do this? Here's an example, say I have a table with columns Name, Address, Telephone. I have a web page where I run Show C...

What percentage of my time will be spent in user input verfication during web development?

I'm new to developing things on the web. So far, I'm spending a lot of time (50% or so) to try and prevent bad people from putting things like sql injection into my input forms and validating it server side. Is this normal? ...

Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

Earlier today a question was asked regarding input validation strategies in web apps. The top answer, at time of writing, suggests in PHP just using htmlspecialchars and mysql_real_escape_string. My question is: Is this always enough? Is there more we should know? Where do these functions break down? ...

What's the best method for sanitizing user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for sql injection and XSS attacks, while still allowing certain types of html tags? ...

Are PDO prepared statements sufficient to prevent SQL injection?

Let's say I have code like this: $dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['username']) ); The PDO documentation says The parameters to prepared statements don't need to be quoted; the driver handles it f...

Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?

I realize that parameterized SQL queries is the optimal way to sanitize user input when building queries that contain user input, but I'm wondering what is wrong with taking user input and escaping any single quotes and surrounding the whole string with single quotes. Here's the code: sSanitizedInput = "'" & Replace(sInput, "'", "''") ...

Comprehensive server-side validation

I currently have a fairly robust server-side validation system in place, but I'm looking for some feedback to make sure I've covered all angles. Here is a brief outline of what I'm doing at the moment: Ensure the input is not empty, or is too long Escape query strings to prevent SQL injection Using regular expressions to reject invalid...

Classic ASP SQL Injection Protection

What is a strong way to protect against sql injection for a classic asp app? FYI I am using it with an access DB. (I didnt write the app) ...

Dynamic SQL - Search Query - Variable Number of Keywords

We are trying to update our classic asp search engine to protect it from SQL injection. We have a VB 6 function which builds a query dynamically by concatenating a query together based on the various search parameters. We have converted this to a stored procedure using dynamic sql for all parameters except for the keywords. The proble...