FAQ Database Discussion Community


Preventing Redshift SQL Injection

java,postgresql,sql-injection,mybatis,amazon-redshift
I have the unfortunate situation where I have to build up a SQL string by concatenating strings - the classic SQL injection scenario. I can't use prepared statements. If I escape the ' character am I safe? Or are there other attack vectors? I'm using MyBatis and it's ${} notation...

Results are empty with $wpdb->prepare statement

php,mysql,wordpress,sql-injection,wpdb
I am working in WordPress and my $wpdb select query works without prepare but when I use the proper escaping and use $wpdb->prepare ... with prepare results never show up and results show when I don't use %s and prepare ... what is there that I am missing ... thanks...

Why does this MySQL query spill over to the next line

mysql,sql-update,syntax-error,sql-injection
The input would come in from a web form, and I am attempting an SQL injection via the form. In the password field, I attempt to put a single quote just to see what sort of error is invoked at the back end. I run this same query manually at...

What are the best ways to prevent SQLInjection in CodeIgniter [duplicate]

php,codeigniter,sql-injection
This question already has an answer here: Does Code Igniter automatically prevent SQL injection? 10 answers I am new to the codeigniter framework and im makeing a few queries my question is what is the best way to keep my queries safe. Should I use mysql_real_escape_string or is there...

mssql_escape saves double apostrophe

php,sql,sql-injection,apostrophe
I am using the function below to escape my string before it is inserted into the DB. Though it actually inserts the double apostrophe into the database, and when I print it out it still has the double apostrophe. What is the right way to print the value out with...

In prepared statement is setString() the only useful method to prevent SQL injection?

java,jdbc,prepared-statement,sql-injection
What's the need to use: pstatement.setInt(); pstatements.setFloat(); etc. and all these methods other than setString() which is the only method useful to prevent SQL injection?...

Embed DML/DDL as subquery?

sql,oracle,security,sql-injection
In an application that my team is developing, all users can define SQL-based filters, which are SQL-select-statements that return IDs. This statement, that is entered by the user, is then embedded in an insert ... select .. statement as an subselect clause. I do have a very bad feeling about...

Using substring in Rails query the safe way

mysql,ruby-on-rails,ruby,rails-activerecord,sql-injection
I'm currently writing a query to look in a table some grouped results in order to build an alphabetical pagination index. The query I have looks something like the following (based on this answer): criteria = "substr(%s, 1, 1)" % field_name Posts.select(criteria).group(criteria).order(criteria).count(:id) Now I would like to improve this query...

Allow user to enter SQL select statement in web application disabling updates

sql,web,sql-injection
I need to allow users to enter SQL select statements in my web application; these select statements will be used to generate the options in a customized dropdownlist. So I have a field on the UI where the user enters a select; how to prohibit the user of entering an...

Slim framework - php - how prevent injections?

php,android,security,sql-injection,slim
As an android developer I would like prepare my server for request from android app. First aim was to create request link for adding items into database. So I have created something like that below in php file by Slim framwork. My question is: is there any chance to inject...

SQL-injection in PHP, how is it possible to send non-escaped quote to server?

php,mysql,escaping,sql-injection
This code seems to be unsafe: <form method='post'> <input type='text' name='x' style='width:1000px'> <input type='submit' value='Send'> </form> <?php if(isset($_POST['x'])) { require_once("db_connect.php"); $q = mysqli_query($dbc, "SELECT x FROM table where x = '". $_POST['x'] ."'"); while($r = mysqli_fetch_assoc($q)) echo $r['x']; } but when I sent malicious input, it did not work. So...

SQL injection and prepared statement, when does it get overkill?

php,mysqli,prepared-statement,sql-injection
I've read alot about sql injection and i've been using mysqli prepared statement for over a year now. The closer i got to my question was this one Why does this MySQLI prepared statement allow SQL injection? Now, i want to create a function to run a query based on...

Preventing SQL injection in a report generator with custom formulas

sql-server,sql-injection,sql-server-2014
For my customers, I am building a custom report generator, so they can create their own reports. The concept is this: In a control table, they fill in the content of report columns. Each column can either consist of data from DIFFERENT DATA SOURCES (=tables), or of a FORMULA. Here...

How to handle the SQL injection response for best practice

c#,asp.net,security,sql-injection
We are using the web security scanner which found out one of my web page has a Bind SQLi. The scanner modified the parameter "news.aspx?id=123" to "news.aspx?i=123' or 1=1--", And the web server responses to the news information for id=1 information currently. After investigation from development team, they said that...

SELECT and UPDATE rows at the query?

mysql,sql,security,sql-injection
I am trying to find a way to merge a select query and an update withing the same instruction on a MySQL server. This might sound as a repeated question, but my need is different from my predecessors. I actuality looking for a single SQL instruction, as I cannot use...

Is the Jira feature 'JQL' (Jira Query Language) a threat for the security of my Jira installation?

jira,sql-injection,atlassian
As I unterstood it, JQL is used within a feature called 'Advanced Search' to dig up information stored in my Jira DB. It is a SQL-like query language. I can compose (and later reuse) a URL that contains a complete JQL query. Example: https://[mysite.com]/issues/?jql=project%20%3D%20PVZ%20AND%20resolution%20%3D%20Unresolved%20ORDER%20BY%20priority%20DESC Even if I am not logged...

PHP Prepared statement login

php,mysql,login,passwords,sql-injection
I'm in the process of adding password hashing and SQL injection defenses into my Login system. Currently, I've ran into an error. <?php session_start(); //start the session for user profile page define('DB_HOST','localhost'); define('DB_NAME','test'); //name of database define('DB_USER','root'); //mysql user define('DB_PASSWORD',''); //mysql password $con = new PDO('mysql:host=localhost;dbname=test','root',''); function SignIn($con){ $user =...

Which statement is better and more secure for SQL Injection?

c#,asp.net,sql-injection
Which statement is better and more secure to prevent any sql injection, or are they the same? com.CommandText = "update tblTableName set [email protected], [email protected] WHERE ID=1"; com.Parameters.AddWithValue("@name", name.ToString()); com.Parameters.AddWithValue("@age", age.ToString()); OR com.CommandText = @"update tblTableName set Name=" + name.ToString() + ", Age=" + age.ToString() + " WHERE ID=1"; OR com.CommandText...

Can you show examples of SQL Injection on this code?

php,sql-injection
My friend is new to PHP concepts(And so am I), and he developed the code below. I know it is vulnerable, and I told him I could do stuff on his database, like messing with other tables, Update other values etc. The vulnerable part of the code is an INPUT,...

Need information on SQL Injection in ASP.Net MVC 4

sql,asp.net,asp.net-mvc-4,sql-injection
I have a report generated by IBM appscanner tool. It scanned my mvc application and on some urls it gave me high alerts. I'm trying to figure out how to perform parameter manipulation on my page like above information provided in the report to find the issue.Example of the...

Is it possible to install malicious code with a SQL injection attack

sql-server,security,sql-injection
We recently identified a security floor in some old code which was vulnerable to SQL injection attack. The server is MS SQL Server 2012 running on Windows 2012. During the investigation I have been asked if any malicious code has been installed via the vulnerability. The SQL server is once...

PHP / MySQLi: How to prevent SQL injection on INSERT (code partially working)

php,mysql,mysqli,sql-injection,sql-insert
I am new to PHP and hope someone can help me with this. I would like to store two values (an email and a password) in a MySQL db using PHP. The input is passed to the PHP page via Ajax in jQuery (through an onclick event on a website)....

Explain how order clause can be exploited in Rails

sql,ruby-on-rails,sql-injection
I am having difficulty understanding how this section from this website on Rails SQL Injections works. Taking advantage of SQL injection in ORDER BY clauses is tricky, but a CASE statement can be used to test other fields, switching the sort column for true or false. While it can take...

PHP: While loop not working after adjusting SELECT for SQL injection prevention

php,mysql,select,sql-injection,associative-array
I am trying to set up PHP queries for MySQL in a way to prevent SQL injection (standard website). I had a couple of INSERT queries where changing this worked well but on the following SELECT I keep getting an error since the update and it looks like the while...

How to avoid SQL Injection with Update command in Npgsql?

database,postgresql,sql-injection,npgsql
I am trying to use the Npgsql PostgreSQL client to accomplish two things: Avoid SQL injection, and Manage data containing the single quote ' I cannot see how to do either :( PostrgeSQL version 9.1 In the below code, dx.chronic is of type bool? and cdesc of table dx may...

Prevent SQL Injection when the table name and where clause are variables

asp.net,ado.net,sql-injection
I have a situation need your help. At the moment, i've build an asp.net app using ado.net. I'm using CommandText to build dynamic query so it have SQL Injection vulnerability. My CommandText like this String.Format("SELECT COUNT(*) FROM {0} {1}", tableName, whereClause) TableName and whereClause is passed in by developer. As...

How to prepare statement with mysqli for select query

php,mysqli,sql-injection
I am very worried about sql injection. I have been reading up about it and been trying to prepare the following query: $query_AcousticDB = "SELECT * FROM products WHERE Category = 'Acoustic ' ORDER BY RAND()"; $AcousticDB = mysqli_query($DB, $query_AcousticDB) or die(mysqli_connect_error()); $row_AcousticDB = mysqli_fetch_assoc($AcousticDB); $totalRows_AcousticDB = mysqli_num_rows($AcousticDB); which works...

SQL injection without single quotes

sql,sql-injection,hacking
Is there a way to do a sql injection without using the single quote ' ?? I've looked to a lot of questions but they are all about single quote escaping or they do not contain a solution (SQL Injection after removing all single-quotes and dash-characters) I'm doing an hack...

How to use SQL parameters with IF conditions and what datatype is equal to the NVARCHAR. OLeDB, VB.NET

sql-server,vb.net,parameters,sql-injection
So my question actually has more than 2 parts but all linked with protecting my application against SQL injection. Lately I am rebuilding my application to make it SQL injection proof. My application is written in VB.NET and I am using Parameters.Add to protect the queries. UPDATE first question: Found...

detectecting destructive SQL queries with C#

c#,sql,asp.net,regex,sql-injection
So I am looking to find a more effective way to determine all variants of the strings in the array in this this C# code I wrote. I could loop over the whole string and compare each character in sqltext to the one before it and make it overly complicated...

Can an SQL injection be made with a single word in a SELECT statement?

php,mysqli,sql-injection,sanitization
Suppose you have a query looking like this: SELECT * FROM messages WHERE sender='clean_username' where the clean_username is received over get/post and sanitized like this: $clean_username = preg_replace( '/[^A-Za-z0-9_]+/m' , '', $dirty_username ); The above code removes any whitespace (among other things), which means that the valid_username parameter will always...

Securing a static SQL query from SQL Injection

java,mysql,prepared-statement,sql-injection,fortify
I have an application which reads thousands of flat files containing database parameters and static SQL statements. In my java code i take the SQL statement and execute it. This is not acceptable to Fortify due to probable SQL Injection vulnerability. e.g. my flat file is something like below: query:...

SQL Injection - is it possible when the variable is processed using intval()?

php,sql,sql-injection
I have very short question, but no one asked it yet. Is it posible to do SQL injection in such piece of code?: $number = intval($_GET["number"]; mysqli_query($link, "Select Username FROM Users WHERE USER_ID = $number"); Thank you....

Issue about XSS Attack and SQL Injection

php,security,mysqli,xss,sql-injection
I'm new to web security.After spending time reading some blogs and community sites like SO,I have found some techniques to be safe from XSS Attack and SQL Injection.But the problem is,most of that security related questions are very old.So,my question is does my following code has any major security holes...

In what does prepared SQL statement differ from htmlspecialchars converted GET variable?

php,security,mysqli,sql-injection
So I was messing around with SQL injections on my website, trying to find an easy way to protect it from SQL injections. I found many things about "Prepared SQL statements", mostly in this post. This is all nice and yes, it does prevent any kind of SQL injection I...

Safe way to open cursor with dynamic column name from user input

sql,sql-injection,plpgsql,dynamic-sql,postgresql-9.4
I am trying write function which open cursor with dynamic column name in it. And I am concerned about obvious SQL injection possibility here. I was happy to see in the fine manual that this can be easily done, but when I try it in my example, it goes wrong...

Why is this SQL injection 'sleep' attack an effective denial of service?

mysql,security,sql-injection
Today, while administering a client's server, our monitoring identified some slow page load times / other issues. I noticed while troubleshooting this, that the following query was in the process list and never seemed to finish: SELECT * FROM motorcycles LEFT JOIN motorcycle_year ON motorcycle_year.year_id = motorcycles.motorcycle_vyear LEFT JOIN motorcycle_make...

SQL Injection in FROM clause with SqlBuilder [closed]

c#,sql,sql-server,sql-injection
We have a SQL statement that uses the SqlBuilder set the table name in the from clause. The database is SQL Server 2008 and up. var sqlBuilder = new SqlBuilder(); sqlBuilder.Select("*").From(tableName); sqlBuilder.Where("..."); Connection.BuilderQuery<dynamic>(sqlBulder).Select(Map); I am wondering if this is a SQL injection risk? and how can I mitigate that risk?...

Purpose of web app input validation for security reasons

validation,security,xss,sql-injection,code-injection
I often encounter advice for protecting a web application against a number of vulnerabilities, like SQL injection and other types of injection, by doing input validation. It's sometimes even said to be the single most important technique. Personally, I feel that input validation for security reasons is never necessary and...

Strip-tags vs htmlentities vs other. Which has the better security in php?

javascript,php,sql,security,sql-injection
I'm creating a website (assuming that it will have a lot of users) that is going to have users using all characters and so it could contain characters like >, < and /. So someone suggested that I use htmlentities() instead of strip tags. Is htmlentities reasonbly safe against SQL...

How do I prevent MySQL Database Injection Attacks using vb.net?

mysql,.net,database,vb.net,sql-injection
I am using vb.net in Visual Basic 2010 and using Query to edit my Online MySQL Database from the application (WinForms). Here is a sample to insert a new user into the database: MySQLCon.Open() Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text &...

WordPress SQL Injection URL parameter

php,wordpress,sql-injection
I wrote a very little WordPress application that uses URL parameter values to generate html content on a public site like this: URL example: www.mydomain/?prmtr=Chicago Code: $prmtr = isset( $_GET['prmtr'] ) ? $_GET['prmtr'] : 'NewYork'; A possible HTML integration is like this <h1>Hello Person from <?php echo $prmtr; ?></h1> Is...

Is this SQL query, injection safe

c#,sql,asp.net,sql-injection
I think the initial code is fine: SqlCommand param = new SqlCommand(); SqlGeometry point = SqlGeometry.Point(center_lat,center_lng,0); SqlGeometry poly = SqlGeometry.STPolyFromText(new SqlChars(new SqlString(polygon)),0); param.CommandText = "INSERT INTO Circle (Center_Point, Circle_Data) VALUES (@point,@poly);"; param.Parameters.Add(new SqlParameter("@point", SqlDbType.Udt)); param.Parameters.Add(new SqlParameter("@poly", SqlDbType.Udt)); param.Parameters["@point"].UdtTypeName = "geometry"; param.Parameters["@poly"].UdtTypeName =...

Is SQL Injection Possible even on Prepared Statement [Java][Mysql]

java,mysql,sql-injection,penetration-testing
I read many articles on stackoverflow regarding how sql injection can be prevented by using prepared statements But is there any way to do sql injection even on prepared statements or is it 100% safe Below is my java code String query = "SELECT * FROM Users WHERE username=? and...

C# avoid SQL Injection in a function

c#,sql,sql-server,sql-injection
I want to create a class that help SELECT , INSERT , UPDATE and DELETE in SQL server databases , but I've found by search that there is "sql injection" and the way to avoid it is to use a function like the following : private static void Select() {...

SQL Injection flaw

c#,sql-server,sql-injection
I am working on a project where the client has reported an SQL injection flaw in the code. Here is my codeā€¦ 1 public int ExecuteNonQuery(string query, SqlParameter[] parameters) 2 { 3 using (SqlCommand command = CreateCommand(query, parameters)) 4 { 5 int rowsAffected = command.ExecuteNonQuery(); 6 return rowsAffected; 7 }...