sql-injection

Building a Wikipedia on ASP.NET(learning exercise). How to clean untrusted data, but keep formatting?

I want to give end users the ability to save HTML to my backend store. Since this feature could easily cause SQL Injection, and loads of other issues, does anyone know of a server side library that will clean the input so only the "safe" parts of HTML can be used? Some things I'd like to avoid: Object Tag use JavaScript use Windows ...

Entity Framework, LinqToSQL and sql injection

Is it possible for a project using entirely LinqToSQL or Entity Framewok to suffer from SQL Injection. I think that probably not because the SQL that the ORM generates should be sql-injection free. But I'm not sure. ...

Save textarea to MySQL and preserve line breaks

Imagine a blog or cms system (PHP and MySQL). I want to let the user enter some text in a textarea and save it to the database. The type of the field in the database is TEXT. I want to preserve line breaks and print them later. I know I can do this with PHP's nl2br-function, but how do I protect this string against SQL-injection attack...

SQL-injection - is this (oneliner) safe ?

PHP: $SQL = "SELECT goodies FROM stash WHERE secret='" . str_replace("'",'',$_POST['secret']) . "'"; Could an evil genius hacker inject SQL into my SELECT - How ? ...

what more can I do to prevent myself from XSS injection & SQL Injection?

Hey! If my site ever goes live (don't think it will, its just a learning exercise at the moment). I've been using mysql_real_escape_string(); on data from POST, SERVER and GET. Also, I've been using intval(); on strings that must only be numbers. I think this covers me from sql injection? Correct? Can i do more? But, I'm not sure ho...

Is SQL Injection possible when parameter's type isn't set?

Does passing SQL Parameters to a stored procedure alone ensure that SQL injection won't happen or the type checks also need to be performed? As an example - ADO.NET Code: Database DBObject = DataAccess.DAL.GetDataBase(); DbCommand command = DBObject.GetStoredProcCommand("usp_UpdateDatabase"); List<DbParameter> parameters...

how SQL injection is done?

Possible Duplicate: XKCD SQL injection - please explain What is the general concept behind sql injection ? Being a rails developer This is unsafe Booking.find(:all, :conditions => [ 'bookings.user_id = #{params[user_id]]}'] ) and this is safe:-- Booking.find(:all, :conditions => [ 'bookings.user_id = ?', params[user_i...

How to do SQL injection on Oracle

I'm doing an audit of a system, which the developers insist is SQL injection proof. This they achieve by stripping out the single-quotes in the login form - but the code behind is not parameterized; it's still using literal SQL like so: username = username.Replace("'", ""); var sql = "select * from user where username = '" + username +...

Can JSF standard validation prevent code injection?

In my project, I do duplicate validation at the presentation layer as well as the persistence layer with the hope to increase security. So my question is: can standard JSF validation prevent code injections. <h:inputText id="name" value="#{bean.customer.name}" required="true" requiredMessage="Validation Error: Value is required." title=...

Using Magento Methods to write Insert Queries with care for SQL Injection

I am using the Magento's functionality to insert & update queries. My requirement is that I want to take care of SQL Injection, when doing these types of queries. But I'm unable to find how Magento does this. I'm providing one start sample. Please provide me with one complete example. <?php $write = Mage::getSingleton("core/resource")...

How do I run a parameterized SQL query in classic ASP? And is it secure?

I'm about to have to deal with some SQL code in classic ASP VBScript. I have two questions. First, in .net, I'm used to using the System.Data.SqlClient namespace objects to perform queries. For example: Dim conn as New SqlConnection("Data Source=MyServer;uid=myUid;pwd=myPwd;Initial Catalog=myDataBase;" Dim cmd as New SqlCommand("Se...

How do I deal with an apostrophe in my MySQL database that is throwing off my queries?

I have an SQL file I created from a CSV file. It includes the names of all metropolitan areas in the United States, along with some statistics about their populations. I wrote a PHP script that takes the population data, turns it into a chart, and sticks it back in the city's row, in a different column. This script ran fine until it came...

How can I avoid users entering php code into my form

How can I stop users entering <?php ?> into my forms. I am using urlencode() and then using urldecode() when echoing data onto my page what is the best thing to do?? UPDATE: I am writing to the database with the text urlencoded: htmlentities (urlencode($_POST['postmessage'])); I am using: <?php echo htmlentities (urldecode($row['...

Am I safe from a mysql injection?

Is this good enough to avoid a SQL injection? mysql_real_escape_string(htmlentities (urlencode($_POST['postmessage']))); ...

PHP Protect query from mysqyl Injection.

How can I add mysql_real_escape_string() to this::: $result = mysql_send("INSERT customers SET user='$username', pword='$pass1', firstname='$firstname', lastname='$lastname', email='$email', active='No', activecode='$activecode', dateofbirth='$dateofbirth', gender='$ge...

Am I saving myself from sql injections?

Am I doing this right? Will this help avoid sql injections? $deleteid = htmlspecialchars(strip_tags(mysql_real_escape_string($_POST['listid']))); mysql_send("DELETE FROM stage where listid='$deleteid'"); ...

Does Zend_DB / Doctrine protect me from SQL injection?

Does using prepared statements in Zend_DB or Doctrine protect me from sql injection? example: $stmt = $db->prepare('SELECT * FROM users WHERE name = ? AND password = ?'); $rs = $stmt->execute('peter', 'secret'); Or do I have to check strings and types types myself? Another quickie: Which of the two is best? I only need the DB abstra...

Is this sql input validation secure?

I'm currently developing a database class for a project I've been working on. I would like to know if the following function has any holes or errors in it that would allow for someone to use MySQL injection. public function sql_validate($var) { if (is_null($var)) { return NULL; } else if (is_string($var)) { ...

How to find sql injection vulnerabilities?

Is there a way to find SQL injection vulnerabilities? Note: I am asking how to find them on a server you are in control of so you can fix them. I am not asking about how to detect them on someone else's server to exploit them. Is there a way to find every occurance of mysql_query() without opening every page and doing a ctrl+f? ...

How to prevent 'DROP BOBBY TABLES' when user enters a password with special characters?

In our ancient Classic ASP environment, we utilize OWASP to get the password from the request object and encrypt non-alphanumeric characters. This is a first line of defense to preventing sql injection. We use other methods for full sql injection prevention. The problem is, when we are collecting data to put together an HTTP post mess...