sql-injection

Preventing SQL Injection/Good Ruby method

What is a good method in Ruby to prevent SQL Injection? ...

Do I have to use mysql_real_escape_string if I bind parameters?

I have the following code: function dbPublish($status) { global $dbcon, $dbtable; if(isset($_GET['itemId'])) { $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?'; $stmt = $dbcon->prepare($sqlQuery); $stmt->bind_param('ii', $status, $_GET['itemId']); $stmt->execute(); $stmt->close(); } } Do I need to mysql...

How can I limit an SQL query to be nondestructive?

I'm planning on building a Django log-viewing app with powerful filters. I'd like to enable the user to finely filter the results with some custom (possibly DB-specific) SELECT queries. However, I dislike giving the user write access to the database. Is there a way to make sure a query doesn't change anything in the database? Like a 'dr...

Where to use mysql_real_escape_string to prevent SQL Injection?

Hi friends, I'm in trouble with a group of hackers. they hacked my client's site few times, and my client gets more angry :( my client lost his database (which has hundreds records), and had to enter all :( now I'm following some more introductions; fixed file permissions changed ftp and host login info cleared all remote mysql acce...

Regex for detecting SQL Injections in WinForms

Hello, i uwant to cach input, which seems to be like SQL injection. So I wrote the method: public static bool IsInjection(string inputText) { bool isInj = false; string regexForTypicalInj = @"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix"; Regex reT = new Regex(regexForTypicalInj); ...

Securing/encrypting an offline application

I'm developing an "offline" application for a local government that will be used to collect sensitive information. The application will sync back up to the mothership periodically, but it will generally be used offline. It'll be running on Windows, written in .NET/WPF. I'll need a small "local" database, so I'm looking at SQLite. I c...

Have I found an SQL injection bug in SQL server?

So I was playing with my MS SQL Server 2008 app to see how good it is protected against SQL injections. The app lets users to create views in the database. Now consider the following: create view dbo.[]]; drop database foo--] as select 1 as [hi!] This creates a view with a name of ]; drop database foo--. It is valid and you can selec...

Make this query safe?

Possible Duplicate: Best way to stop SQL Injection in PHP I have seen some of examples that use something called a PDO to make a query safe from sql-infection, or others that use real_escape, but they all seem to be incomplete or assume some knowledge. So I ask, take this simple update query and make it safe from sql-injection...

How is advised to use the contentResolver's delete method to be injection safe?

You can delete with content resolver by URI or by passing some parameters to the where parameter. How do you make the parameters to be SQL Injection Safe? Is it possible to use Prepared Statements with ContentResolver? act.getContentResolver().delete(myuriwithid,null,null); act.getContentResolver().delete(mybaseuri," name = '"+this.nam...

Testing for security vulnerabilities in web applications: Best practices?

Hi y'all I'm developing a web application. Like, a proper one, I've used things like Joomla in the past to make awesome stuff but have now finally got my hands dirty with PHP, MySQL and CodeIgniter. When you're making serious web apps that'll handle large amounts of data, what precautions should I take against my data inputs to fully s...

How to prevent SQL Injection attack in applications programmed in Zend Framework ?

I don't have any concept about ZF safety. Do I have to use Filter when operating on database? Maybe binding is enough ? How about this: $users->update($data, 'id=1'); Should $data array be filtered somehow ? Feel free to write anything you know about the issue. Could you give some links to good articles about safety in ZF (mainly abo...

How can this SQL query code be broken/exploited by user input?

Possible Duplicate: Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? We have a legacy app that doesn't do queries using positional parameters, and there's SQL everywhere. It was decided (before I started here) that since user input can contain apostrophes, every string...

How to protect WinForms app from direct-SQL

Hello, i have some WinForms app (Framework to develop some simple apps), written in C#. My framework later would be used to develop win forms applications. Other developers they are beginers often and sometimes do not use Parameters - they write direct SQL in code. So first i need somehow to do protection in my framework base classes in...

Wordpress: wpdb->insert VERSUS wpdb->prepare(wpdb->query("INSERT...

Hello, I am wondering if wordpress' insert function also adds slashes to data. If it doesn't it would seem that the prepare query method would be better to prevent against SQL injection. I tried looking the issue up in there codex/api; however, it seems undocumented. Thanks! ...

Help to find Reg-ex usage errors.

Hello, I want to cach input, which seems to be like SQL injection. I know now, that Reg-ex usage for finding SQL-injections is not a best way, but i simply need to do some researcha about it and I'm asking for help to fix some errors. So I wrote the method: public static bool IsInjection(string inputText) { bool isInj = false; ...

Ways and techniques to get defense from SQL-injections

Hello, i have some WinForms app (Framework to develop some simple apps), written in C#. My framework later would be used to develop win forms applications. Other developers they are beginers often and sometimes do not use Parameters - they write direct SQL in code. So first i need somehow to do protection in my framework base classes in ...

What should considered to prevent Injection in request forms ?

What should considered to prevent Injection in request forms ? e.g : using Recaptcha, preventing SQL Injections, etc ... what other item should be consider ? ...

Simple regex question (C#, SQL Server)

Hello, I have some Regex, it looks like this: string regexForDrop = @"^((%27)|'|(\-\-))\s*(d|%64|%44)(r|%72|%52)(o|%6F|%4F)(p|%70|%50)$"; It works fine, when i write to the input "--drop", but it does not works, when i write "drop table users" or something like that. I need that it would be working, no matter what comes after "--drop"...

Is htmlencoding a suitable solution to avoiding SQL injection attacks?

I've heard it claimed that the simplest solution to preventing SQL injection attacks is to html encode all text before inserting into the database. Then, obviously, decode all text when extracting it. The idea being that if the text only contains ampersands, semi-colons and alphanumerics then you can't do anything malicious. While I s...

Subdomain, a place to check for SQL injection?

I understand the benefits of cleaning all data and quoting data, etc, but I'm wondering if http allows for a situation where a subdomain could have the right chars for SQL injection. ...