SQL Injection in .NET
Hi I was wondering if anyone knew of some good websites detailing prevention for SQL injection for .NET web applications. Any resources would be greatly appricated, thank you. ...
sql-injection
MySQL injection protection and vulnerability signs using PHP
What are the best ways to protect from MySQL injection? What are weaknesses I should look out for? I know what it is, but I really have no idea how vulnerable I might be. Though I have taken (what I think to be) steps toward protecting myself and my database. Is there any sure-fire way of stopping someone? BTW...I write in PHP:) ...
How can I get a username and password from my database in C#?
I have the following code in my btn_click event: Sqlconnection con = new Sqlconnection("server=.;database=bss;user id=ab;pwd=ab"); con.open(); SqlCommand cmd = new Sqlcommand("select * from login where username='" + txt4name.Text + "' and pwd='" + txt4pwd.Text + "'", con); SqlDataReader reader = cmd.execute Reader(); Where login is ...
How to Prevent SQL Injection in Oracle SQLPlus?
Obviously if I am using JDBC/ODBC, I can use bind variables and prepared statements to prevent SQL injection. However, when data is passed to batch processes that end up invoking Oracle SQLPlus, is there a way to prevent SQL injection? For example: query.sql: select '&1' from dual; exit; If I call this script from SQLPlus thusly: $ ...
How do I build a parameterized PDO statement in PHP for a dynamic query?
Apologies if this has been asked already. I've seen answers regarding static SQLs, but in this case I'd like to use PDO->prepare() for a query string that is built dynamically at runtime. Breaking down into a simple example: $TempSQL = "SELECT field1, field2, field3 FROM table WHERE "; if ($numberParams == 1) { $TempSQL = $TempSQ...
PHP include numeric
If I build my pages like this do I have to check if news_id is numeric in news.php too? Or is this safe? index.php: if (ctype_digit($_GET['news_id'])) include('news.php'); news.php: $query = mysql_query("SELECT * FROM news WHERE news_id = $_GET[news_id]"); $row = mysql_fetch_assoc($query); if (!mysql_num_rows($query...
TableAdapters SQL Injection
Hi I am using a dataset and in that dataset I have a table adapter. In my table adapters I have used stored procedures as queries. If I use the following lines to insert form data using my table adapter, is it safe against SQL injection? Thanks. UserDataSetTableAdapters.UserInformationTableAdapter myFactory = new TestProject.UserData...
What is SQL injection?
Can someone explain SQL injection? How does it cause vulnerabilities? Where exactly is the point where SQL is injected? Duplicate http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain Too many to list (Google link) ...
C# Assembly Injection Check
I'm creating an assembly in C# for MS SQL 2005. This assembly creates a stored procedure and runs a dynamic query based on parameters passed into the stored procedure. Is there a simple function in C# to prevent SQL injection? For example string myQuery = "SELECT * FROM dbo.MyTable WHERE lastName = '" + injectionCheck(arg1) + "'"; T...
Does mysqli class in PHP protect 100% against sql injections?
I've seen lots of articles and questions about mysqli, and all of them claim that it protects against sql injections. But is it fool proof, or is there still some way to get around it. I'm not interested in cross site scripting or phishing attacks, only sql injections. What I should have said to begin with is that I am using prepared st...
How dangerous is this PHP code?
How dangerous is this php code? What can be done about it? $name = $_POST["user"]; $pwd = $_POST["pwd"]; $query = "SELECT name,pwd FROM users WHERE name = '$name' AND pwd = '$pwd'"; ...
Am I safe against SQL injection
Hello I would like to know if I'm safe against SQL injection when I use something like that with PostgresSQL: CREATE or REPLACE FUNCTION sp_list_name( VARCHAR ) RETURNS SETOF v_player AS ' DECLARE v_start_name ALIAS FOR $1; r_player v_player%ROWTYPE; v_temp VARCHAR; BEGIN v_temp := v_start_name || ''%''; ...
Best way to escape strings for sql inserts?
What is the best way to escape strings for sql inserts, updates? I want to allow special characters including ' and ". Is the best way to search and replace each string before I use it in an insert statement? Thanks Duplicate of: http://stackoverflow.com/questions/568995/best-way-to-defend-against-mysql-injection-and-cross-site-scrip...
jQuery AlphaNumericPlugin - Copy Paste Issue
I am using the .alphanumeric plugin for jQuery which is certainly doing what I would expect as users type directly into the textbox. But, if a user were to copy and paste a value into the text box, all bets are off. $("#<%= txtNumber.ClientID %>").alphanumeric({allow:"-"}); I can certainly do this: $(document).ready(function() { ...
PHP protecting itself from SQL injections?
When I send ");-- from an input field to my localhost PHP server, it AUTOMATICALLY converts it to \");-- It seems great, except that I don't know how trustworthy this behavior is. Although it seems to avoid SQL injections, my development environment is not the same as the production environment and I'm afraid that the production en...
Is it possible, with the Python Standard Library (say version 2.5) to perform MS-SQL queries which are parameterized?
While the particular data I'm working with right now will not be user-generated, and will be sanitized within an inch of its life during my usual validation routines, I would like to learn how to do your basic INSERT, SELECT, etc. SQL queries while protecting myself against SQL injection attacks, just for future reference. I'd rather le...
SQL injections with prepared statements?
If I remember correctly, I think Jeff has mentioned in the Stack Overflow podcast a possible weakness in SQL prepared statements. I'm wondering what kind(s) of weakness(es) did he refer to? Was it possibly just about inappropriate usage thereof, or something more sinister? The podcast, to my remembering, didn't go deeper into the subjec...
SQL injection on INSERT
I have created a small survey web page on our company Intranet. This web page is not accessible from the outside. The form is simply a couple of radio buttons and a comments box. I would like to maintain good coding practices and would like to guard against SQL Injections. Can SQL injections happen on a insert statement with comments...
How should I sanitize database input in Java?
Could someone please point me to a good beginner guide on safely running SQL queries formed partly from user input? I'm using Java, but a language neutral guide is fine too. The desired behaviour is that if someone types into the GUI something like very nice;) DROP TABLE FOO; The database should treat it as a literal string and sto...
Php on zend, how to escape a variable for a query?
Hello, im doing some queries in Zend Framework and i need to make sure no SQL injection is possible in the next kind of formats. I can use mysql_escape(deprecated) and wont do all the work. If i try to use real_mysql_escape it wont be able to grab the conection with the database and i cant find how zend_filter would solve the problem. ...