I have some old databases i was handed that use SQL Server 2000 and they are getting SQL Injected with javascript script tags at the end of certain database fields. I need a trigger to strip out the injected on update until I have time to fix the front end that is allowing this. I am a SQL Server novice - please help! ...
I need to check all of my asp code to prevent SQL injection. Should I check the session object, too? How might a session be hijacked? Thank you!! ...
I'm working with SQL Server 2005 and Windows Server 2000 and wonder if there are any 'automated' ways of blocking SQL Injection attacks while I shore up my code. Some have suggested that there are ways to: Put in some kind of ISAPI or HTTP module that filters request post and querystrings for injection-oriented symbols and fails the r...
I have seen this SQL injection attempt on my site many times in the last few months. ';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A656...
I am taking in a string from user input, and splitting it on whitespace (using \w) into an array of strings. I then loop through the array, and append a part of the where clause like this: query += " AND ( " + "field1 LIKE '%" + searchStrings[i] +"%' " + " OR field2 LIKE '%" + searchString...
I just installed the FindBugs plugin for Eclipse, with the hope that it will help me find SQL injection vulnerabilities in my code. However, it doesn't seem to be finding anything, even when I deliberately put some in. In the following examples, assume staticFinalBaseQuery is declared as follows: public static final String staticFin...
How can one allow code snippets to be entered into an editor (as stackoverflow does) like FCKeditor or any other editor while preventing XSS, SQL injection, and related attacks. ...
There are the standard A-Z, a-z characters, but also there are hyphens, em dashes, quotes, etc. Plus, there are all of the international characters, like umlauts, etc. So, for an English-based system, what's the complete set? What about sets for other languages? What about UTF8, UTF16, etc? Bonus question: How many name fields are nee...
I have been getting a number of attacks on my website lately, with a User-Agent of NV32ts. They all are some variation of the following injection attacks against a querystring variable (where 99999 represents a valid querystring value, the attack is appended to the value): (For convenience I have urldecoded the following attacks) 9999...
Report released today on the "top 25" most dangerous programming mistakes. I'm interested to see if any here agree or can spot any glaring omissions (or outdated inclusions). Also, in your opinion which modern dev tools/frameworks are improving (or worsening) these flaws for things like authorization, SQL injection, or code injection? ...
I have a table in a ASP.NET MVC application that I want to be sortable (serverside) and filterable using AJAX. I wanted it to be fairly easy to use in other places and didn't feel like hardcoding the sorting and filtering into query expressions so I looked for a way to build the expressions dynamically and the best way to do this I found...
I have a project (private, ASP.net website, password protected with https) where one of the requirements is that the user be able to enter Sql queries that will directly query the database. I need to be able to allow these queries, while preventing them from doing damage to the database itself, and from accessing or updating data that th...
The stored procedures being written here currently concats the parameters to the queries: 'Select * From Names Where Name = ' || prmName || ' Order By ' || prmSortField Is it possible to parameterize this query inside the stored procedure? Possibly like: query = 'select * From Names Where Name = @name Order By ' || prmSortField call(...
How do you protect your website from Local File Inclusion & SQL Injection (PHP)? ...
Hi, One thing that's always confused me is input escaping and whether or not you're protected from attacks like SQL injection. Say I have a form which sends data using HTTP POST to a PHP file. I type the following in an input field and submit the form: "Hello", said Jimmy O'Toole. If you print/echo the input on the PHP page that rec...
I'm writing a java class which would be invoked by a servlet filter and which checks for injection attack attempts and XSS for a java web application based on Struts. The InjectionAttackChecker class uses regex & java.util.regex.Pattern class to validate the input against the patterns specified in regex. With that said, I have following...
There seems to be some hysteria about SQL Injection attacks. Most recently, here http://stackoverflow.com/questions/505838/vba-simple-database-query-from-word If I'm creating a macro in Excel that connects to an Access database, do I really have to be concerned about SQL injection? It's not on the web, it's used in my office (you guy...
I just wanted to know how can we escape an SQL query (string) in Ruby to prevent SQL Injection. please note I am not using Rails framework. Thanks. ...
Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn't? Ignoring for the moment the superior alternative of parameterized queries, is a webapp that uses addslashes() exclusively still vulnerable to SQL injection, and if yes, how? ...
Update: So, how did thing go? We notified them of the existing problem, included background information, a detailed error report and tried to explain in plain human language what the problem was and why it is serious. They thanked us, passed the information to their website developer who has since fixed it. We are not quite sure of t...