Questions tagged [sql-injection]

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

Filter by
Sorted by
Tagged with
2773votes
28answers
2.0mviews

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; ...
733votes
4answers
283kviews

SQL injection that gets around mysql_real_escape_string()

Is there an SQL injection possibility even when using mysql_real_escape_string() function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(...
user avatar
  • 76.7k
1168votes
13answers
253kviews

How does the SQL injection from the "Bobby Tables" XKCD comic work?

Just looking at: (Source: https://xkcd.com/327/) What does this SQL do: Robert'); DROP TABLE STUDENTS; -- I know both ' and -- are for comments, but doesn't the word DROP get commented as well ...
user avatar
  • 246k
1227votes
18answers
616kviews

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?
user avatar
  • 22.6k
103votes
9answers
41kviews

What is SQL injection? [duplicate]

Can someone explain SQL injection? How does it cause vulnerabilities? Where exactly is the point where SQL is injected?
user avatar
119votes
7answers
149kviews

Why do we always prefer using parameters in SQL statements?

I am very new to working with databases. Now I can write SELECT, UPDATE, DELETE, and INSERT commands. But I have seen many forums where we prefer to write: SELECT empSalary from employee where salary ...
user avatar
  • 10.9k
54votes
4answers
130kviews

What are good ways to prevent SQL injection? [duplicate]

I have to program an application management system for my OJT company. The front end will be done in C# and the back end in SQL. Now I have never done a project of this scope before; in school we had ...
user avatar
  • 2,720
711votes
7answers
240kviews

Are PDO prepared statements sufficient to prevent SQL injection?

Let's say I have code like this: $dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['...
user avatar
  • 140k
212votes
9answers
158kviews

How can prepared statements protect from SQL injection attacks?

How do prepared statements help us prevent SQL injection attacks? Wikipedia says: Prepared statements are resilient against SQL injection, because parameter values, which are transmitted later using ...
user avatar
  • 11.3k
49votes
2answers
9kviews

How can I add user-supplied input to an SQL statement?

I am trying to create an SQL statement using user-supplied data. I use code similar to this in C#: var sql = "INSERT INTO myTable (myField1, myField2) " + "VALUES ('" + someVariable + "', '"...
user avatar
  • 157k
9votes
1answer
15kviews

Is "mysqli_real_escape_string" enough to avoid SQL injection or other SQL attacks?

This is my code: $email= mysqli_real_escape_string($db_con,$_POST['email']); $psw= mysqli_real_escape_string($db_con,$_POST['psw']); $query = "INSERT INTO `users` (`email`,`psw`) VALUES ('".$...
user avatar
  • 23.9k
60votes
5answers
3kviews

Reference: What is a perfect code sample using the MySQL extension? [closed]

This is to create a community learning resource. The goal is to have examples of good code that do not repeat the awful mistakes that can so often be found in copy/pasted PHP code. I have requested it ...
160votes
14answers
290kviews

Java - escape string to prevent SQL injection

I'm trying to put some anti sql injection in place in java and am finding it very difficult to work with the the "replaceAll" string function. Ultimately I need a function that will convert any ...
user avatar
  • 2,790
55votes
3answers
46kviews

CSRF, XSS and SQL Injection attack prevention in JSF

I have a web application built on JSF with MySQL as DB. I have already implemented the code to prevent CSRF in my application. Now since my underlying framework is JSF, I guess I don't have to handle ...
user avatar
60votes
7answers
64kviews

The ultimate clean/secure function

I have a lot of user inputs from $_GET and $_POST... At the moment I always write mysql_real_escape_string($_GET['var']).. I would like to know whether you could make a function that secures, escapes ...
user avatar
  • 16.9k
143votes
10answers
124kviews

How does a PreparedStatement avoid or prevent SQL injection?

I know that PreparedStatements avoid/prevent SQL Injection. How does it do that? Will the final form query that is constructed using PreparedStatements be a string or otherwise?
user avatar
  • 13.1k
19votes
6answers
9kviews

In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

I am working on a form with the possiblity for the user to use illegal/special characters in the string that is to be submitted to the database. I want to escape/negate these characters in the string ...
user avatar
  • 2,015
116votes
6answers
70kviews

Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

Earlier today a question was asked regarding input validation strategies in web apps. The top answer, at time of writing, suggests in PHP just using htmlspecialchars and mysql_real_escape_string. ...
user avatar
  • 34.1k
15votes
4answers
16kviews

When should I use prepared statements?

Originally I used mysql_connect and mysql_query to do things. Then I learned of SQL injection, so I am trying to learn how to use prepared statements. I understand how the prepare and execute ...
user avatar
  • 359
102votes
6answers
179kviews

Preventing SQL injection in Node.js

Is it possible to prevent SQL injections in Node.js (preferably with a module) in the same way that PHP had Prepared Statements that protected against them. If so, how? If not, what are some examples ...
user avatar
  • 8,300
150votes
18answers
84kviews

Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?

I realize that parameterized SQL queries is the optimal way to sanitize user input when building queries that contain user input, but I'm wondering what is wrong with taking user input and escaping ...
user avatar
  • 5,910
20votes
3answers
4kviews

How can I prevent SQL injection with dynamic tablenames?

I had this discussion with a high reputation PHP guy: PDO has no use here. as well as mysql_real_escape_string. extremely poor quality. This of course is cool, but I honestly don't know what's ...
user avatar
  • 72.8k
69votes
4answers
59kviews

Examples of SQL Injections through addslashes()?

In PHP, I know that mysql_real_escape is much safer than using addslashes. However, I could not find an example of a situation where addslashes would let an SQL Injection happen. Can anyone give some ...
user avatar
  • 46k
85votes
9answers
29kviews

Are Parameters really enough to prevent Sql injections?

I've been preaching both to my colleagues and here on SO about the goodness of using parameters in SQL queries, especially in .NET applications. I've even gone so far as to promise them as giving ...
user avatar
19votes
10answers
42kviews

How should I pass a table name into a stored proc?

I just ran into a strange thing...there is some code on our site that is taking a giant SQL statement, modifying it in code by doing some search and replace based on some user values, and then passing ...
user avatar
  • 12.3k
10votes
2answers
5kviews

SQL injections in ADOdb and general website security

I have done pretty much reading and still don't understand 100% how some of the SQL injections happen! I'd like to see, from those who know, concrete examples of SQL injection based on my example, so ...
user avatar
  • 12.6k
71votes
3answers
47kviews

Python: best practice and securest way to connect to MySQL and execute queries

What is the safest way to run queries on MySQL? I am aware of the dangers involved with MySQL and SQL injection. However, I do not know how I should run my queries to prevent injection on the ...
user avatar
36votes
8answers
54kviews

Classic ASP SQL Injection Protection

What is a strong way to protect against sql injection for a classic asp app? FYI I am using it with an access DB. (I didnt write the app)
user avatar
71votes
9answers
42kviews

Passing table name as a parameter in psycopg2

I have the following code, using pscyopg2: sql = 'select %s from %s where utctime > %s and utctime < %s order by utctime asc;' data = (dataItems, voyage, dateRangeLower, dateRangeUpper) rows = ...
user avatar
  • 1,241
13votes
3answers
8kviews

Is mysql_real_escape_string() broken?

Some people believe that mysql_real_escape_string() has some flaws and cannot protect your query even when properly used. Bringing some fossilized articles as a proof. So, the question is: is mysql[i]...
user avatar
29votes
7answers
18kviews

Why is using a mysql prepared statement more secure than using the common escape functions?

There's a comment in another question that says the following: "When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this....
user avatar
21votes
15answers
5kviews

Non-web SQL Injection

There seems to be some hysteria about SQL Injection attacks. Most recently, here How to return the value in one field based on lookup value in another field If I'm creating a macro in Excel that ...
user avatar
63votes
12answers
89kviews

Does CodeIgniter automatically prevent SQL injection?

I just inherited a project because the last developer left. The project is built off of Code Igniter. I've never worked with Code Igniter before. I took a quick look at the code and I see database ...
user avatar
  • 30.4k
14votes
9answers
38kviews

Prevent SQL injection attacks in a Java program

I have to add a statement to my java program to update a database table: String insert = "INSERT INTO customer(name,address,email) VALUES('" + name + "','" + addre + "','" + email + "');"; I ...
user avatar
  • 4,216
110votes
21answers
29kviews

Avoiding SQL injection without parameters

We are having another discussion here at work about using parametrized sql queries in our code. We have two sides in the discussion: Me and some others that say we should always use parameters to ...
user avatar
38votes
4answers
13kviews

Does mysql_real_escape_string() FULLY protect against SQL injection?

On http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/?akst_action=share-this , there is a section that claims you can bypass mysql_real_escape_string with certain Asian character ...
user avatar
  • 1,535
12votes
2answers
2kviews

Shortcomings of mysql_real_escape_string?

I have seen a few people on here state that concatenating queries using mysql_real_escape_string will not protect you (entirely) from SQL injection attacks. However, I am yet to see an example of ...
user avatar
20votes
11answers
13kviews

What does mysql_real_escape_string() do that addslashes() doesn't?

Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn't? Ignoring for the moment the superior alternative of parameterized queries, is a ...
user avatar
100votes
11answers
11kviews

Do I have to guard against SQL injection if I used a dropdown?

I understand that you should NEVER trust user input from a form, mainly due to the chance of SQL injection. However, does this also apply to a form where the only input is from a dropdown(s) (see ...
user avatar
  • 1,187
43votes
4answers
18kviews

how safe are PDO prepared statements

Started using PDO prepared statements not too long ago, and, as i understand, it does all the escaping/security for you. for example, assuming $_POST['title'] is a form field. $title = $_POST['title'...
user avatar
  • 6,781
34votes
8answers
66kviews

SQL injection on INSERT

I have created a small survey web page on our company Intranet. This web page is not accessible from the outside. The form is simply a couple of radio buttons and a comments box. I would like to ...
user avatar
  • 19k
78votes
6answers
53kviews

How can sanitation that escapes single quotes be defeated by SQL injection in SQL Server?

To start this off, I am well aware that parameterized queries are the best option, but I am asking what makes the strategy I present below vulnerable. People insist the below solution doesn't work, so ...
user avatar
  • 1,996
21votes
9answers
48kviews

How to prevent a SQL Injection escaping strings

I have some queries (to an acccess database) like this : string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL='" + user + "' AND PASSWORD_AZIENDA='" + password + "'"; and I'd like to "escape" ...
user avatar
  • 44.9k
53votes
4answers
38kviews

Parameterized Queries with LIKE and IN conditions

Parameterized Queries in .Net always look like this in the examples: SqlCommand comm = new SqlCommand(@" SELECT * FROM Products WHERE Category_ID = @categoryid ", conn); comm....
user avatar
  • 97.2k
38votes
4answers
34kviews

Does the preparedStatement avoid SQL injection? [duplicate]

I have read and tried to inject vulnerable sql queries to my application. It is not safe enough. I am simply using the Statement Connection for database validations and other insertion operations. Is ...
user avatar
21votes
16answers
32kviews

How can I avoid SQL injection attacks in my ASP.NET application?

I need to avoid being vulnerable to SQL injection in my ASP.NET application. How might I accomplish this?
user avatar
  • 14.2k
11votes
6answers
4kviews

How can I avoid SQL injection attacks?

Yesterday I was speaking with a developer, and he mentioned something about restricting the insertions on database field, like, strings such as -- (minus minus). At the same type, what I know is that ...
user avatar
  • 11.8k
10votes
3answers
2kviews

Are dynamic mysql queries with sql escaping just as secure as prepared statements?

I have an application which would greatly benefit by using dynamic mysql queries in combination with mysql (mysqli) real escape string. If I ran all data received from the user through mysql real ...
user avatar
  • 1,851
17votes
3answers
22kviews

SQL Server - Dynamic PIVOT Table - SQL Injection

Sorry for the long question but this contains all the SQL I've used to test the scenario to hopefully make it clear as to what I'm doing. I'm build up some dynamic SQL to produce a PIVOT table in SQL ...
user avatar
  • 97.6k
42votes
5answers
16kviews

Does using parameterized SqlCommand make my program immune to SQL injection?

I'm aware that SQL injection is rather dangerous. Now in my C# code I compose parameterized queries with SqlCommand class: SqlCommand command = ...; command.CommandText = "SELECT * FROM Jobs WHERE ...
user avatar
  • 163k

15 30 50 per page
1
2 3 4 5
11