sql-injection

SQL Server: Sanitizing @param against injection attacks

For the sake of argument, let's just say I have to create a local variable containing a SQL query that has an INSERT: DECLARE @insert NVARCHAR(MAX) SELECT @insert = 'INSERT INTO [dbo].[' + @table + '] VALUES... EXEC (@insert) This INSERT is also going to contain a column value: DECLARE @insert NVARCHAR(MAX) SELECT @insert = 'I...

What is the best solution for SQL injection security on MySQL?

What is the best function to run my strings through to ensure that MySQL injection is impossible? Also, will it require running it through another function on the way out to make it display correctly? See also Are Parameters really enough to prevent Sql injections? C# Parameterized Query MySQL with in clause Can I protect aga...

Why is using a mysql prepared statement more secure than using the common escape functions?

There's a comment in another question that says the following: "When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this. This is infinitely safer than using escaping functions such as mysql_real_escape_string." Source So, what i want to ask is: Why...

SqlCeResultSet and SQL injection

When using this code to insert a row with SqlCeResultSet, SqlCeResultSet resultSet = DataAccess.OpenResultSet("MyTable"); SqlCeUpdatableRecord record = resultSet.CreateRecord(); record.SetString(1,TextBox1.Text); resultSet.Insert(record); Does it prevent SQL injection attacks? ...

Sql Injection Attacks and Subsonic

If I use SubSonic to create DAL for my web project do I need to worry about preventing SQL Injection Attacks? ...

PHP/SQL Database querying good practice and security.

So I'm a slightly seasoned php developer and have been 'doin the damn thing' since 2007; however, I am still relatively n00bish when it comes to securing my applications. In the way that I don't really know everything I know I could and should. I have picked up Securing PHP Web Applications and am reading my way through it testing thing...

Examples of SQL Injections through addslashes()?

In PHP, I know that mysql_real_escape in much safer than using addslashes. However, I could not find an example of a situation where addslashes would let an SQL Injection happen. Can anyone give some examples? Thanks! ...

Is sqlite3_bind_text sufficient to prevent SQL injection on the iPhone

Given the statement: const char *sql = "INSERT INTO FooTable (barStr) VALUES (?)"; is the following use of sqlite3_bind_text (and related sqlite3_bind_* functions) sufficient to prevent SQL injection attacks? sqlite3 *db; sqlite3_stmt *dbps; int dbrc = sqlite3_open([dbFilePath UTF8String], &db); if (dbrc) { // handle error ...

Avoiding SQL injection without parameters

We are having another discussion here at work about using parametrized sql queries in our code. We have two sides in the discussion: Me and some others that say we should always use parameters to safeguard against sql injections and the other guys that don't think it is necessary. Instead they want to replace single apostrophes with two ...

SQL Injection

Possible Duplicates: What is the best way to avoid SQL injection attacks? XKCD sql injection - please explain SQL injection on INSERT What is SQL injection? I have been reading about SQL injection, but I am not able to understand it. Can anyone tell me the real issues about SQL injection? ...

Is it possible to execute multiple statements in a single query using DBD::Oracle?

I'd like to know if it's possible to execute more than one SQL statement within a single execute() or do() call using DBD::Oracle via Perl DBI. Example: # Multiple SQL statements in a single query, separated by a ";" $sql = 'UPDATE foo SET bar = 123; DELETE FROM foo WHERE baz = 456'; $sth = $dbh->prepare($sql); $sth->execute; # ...or...

Sanitize user input destined for database in PHP

I have this code: $query = "select id from votes where username = '$user' and article_id = $this->id"; I tried this code to sanitize it: $query = sprintf("select id from votes where username = '$user' and article_id = $this->id", mysql_real_escape_string($user), mysql_real_escape_string($password)); but I get this error ...

PHP Function to replace symbols with character codes to stop SQL Injection

I am trying to write a php function to stop MySQL injection attempts. What I am doing is using str_replace() to remove symbols and replace them with with their HTML character code. My issue is that the codes all contain &#; but I also want to replace those symbols with their codes. How can I do this without changing the code into somet...

Are SQL stored procedures secure?

Are they less vulnerable to SQL injection than doing stuff like mysql_query("SELECT important_data FROM users WHERE password = $password")? ...

Protecting against SQL tablename injection - how far is too far?

I'm developing a relatively small application to talk to PostgreSQL, and wanted to get some feedback on how far is too far to go with regards to protecting against SQL injection. The application is in Perl and does not use any ORM modules (just DBI). The SQL statements are constructed in the typical fashion with placeholders: my $sql ...

What is the least dangerous way to allow users to enter code samples?

I'm implementing a Rails application in which users will be able to store snippets of code for later reference. I'm planning to use Markdown for text entry and will probably use the wmd markdown editor. (The very one Stackoverflow uses.) I'm a little concerned about the idea of people entering code into the edit box. From what I underst...

LIKE in dynamic queries

I want to use the like keyword in a dynamic parameterized query. I want to protect my query from SQL injections so I don't want to pass the value, instead I want to pass my criteria while executing the query, Is there a way I can do this? SELECT ComposeMail.ID, ComposeMail.DateTime, ComposeMail.Subject, ComposeMail.CreatedB...

Can I get SQL injection attack from SELECT statement?

2 Questions actually: I know i must use Stored Procedures as much as Possible, but i would like to know the following please. A: Can i get a SQL Injection attack from a SELECT statement such as (Select * from MyTable) ? B: Also, can i get a SQL Injection attack when I use the SQLDataSource in ASP.NET? ...

SQL Injection in Java/MySQL - multiple queries

Hi everyone, I've got a web application with an SQL injection as part of an INSERT statement, it looks like this: INSERT INTO table1 VALUES ('str1', 1, 'INJECTION HERE') I can insert the regular multiple-query injections such as ');truncate table1;-- but due to the fact that Java+MySQL is used it does not allow stacking multiple queri...

How much sanitizing is needed for Web Services that call Stored Procedures?

I am building a series of web services in VB.Net Each of the web services takes multiple string values, performs some validation/processing then calls a Stored Procedure using Linq to SQL. Some of the string contains user data that is stored in the database: These string values passed from the web service are escaped to trap single quo...