Stack Overflow
Stack Overflow

Questions tagged [sql-injection]

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

SQL injection exploits a type of computer security vulnerability found in applications with SQL databases. It enables attackers to apply malicious SQL commands to the database via user input. It can for example extract, alter or delete sensitive data.

The vulnerability is present when user input is used directly in the SQL commands, instead of as parameters or properly filtered (also known as "sanitized", e.g. by quoting escape characters). It happens primarily because of poorly written SQL handling functions in client applications.

See famous example - Bobby Tables incident and the community wiki question's answer How can I prevent SQL injection in PHP?

Useful Links

3768 questions
1
vote
1 answer

escaping column name as query parameter

I was redoing a query to prevent SQL injection, but can't figure out how to escape the column name. This code won't work (example 1): cursor.execute( "UPDATE ttt SET status = 'Good' FROM table ttt WHERE %s = %s';", ('param1',…
Nir Vana
  • 387
  • 3
  • 9
1
vote
2 answers

Sanitizing MySQL Stored Procedure Parameters

I'm working on a stored procedure that generates a query dynamically based on values of input parameters. The sp uses the CONCAT() function within mysql for building the query. One of the parameters allows a user to enter a search string as a…
whitwhoa
  • 2,389
  • 4
  • 30
  • 61
1
vote
1 answer

Entity Framework - passing null value as parameter

I am using contrast security (third party tool that indicates SQL Injection, Vulnerabilities) and entity framework, my code is like this: public int Insert(UserAddress userAddress) { _context.Entry(userAddress).State = EntityState.Added; …
Ankush
  • 11
  • 2
1
vote
2 answers

Best way of sanitize unparametrizable sql

I have to make a SQL string to be injected in a database for a third party to read it, execute it, and making a report with the results. Since the user can choose the columns wanted for the report, as well as renaming the columns, I've ended with a…
Rekesoft
  • 153
  • 2
  • 9
1
vote
3 answers

mysql_real_escape_string(htmlspecialchars( $value )); is enough? how can i easly improve it?

i'm using this in every $_get or $_post before acces or insert to my Database.. i'm sure it's not enough.. but how safe is it? can i combine it with some expresion to make it safer? thanks a lot! so how about this?…
Toni Michel Caubet
  • 19,333
  • 56
  • 202
  • 378
1
vote
1 answer

MSAccess SQL Injection

Situation: I'm doing some penetration testing for a friend of mine and have total clearance to go postal on a demo environment. Reason for this is because I saw a XSS-hole in his online ASP-application (error page with error as param allowing…
Deefjuh
  • 159
  • 7
1
vote
0 answers

Can't perform substring function inside blind SQL-injection

My request is var request = require('request'); request.post({ headers: {'content-type' : 'application/x-www-form-urlencoded'}, url: 'https://www.target.com/account/IsValidLogin', form: { …
splash27
  • 2,057
  • 6
  • 26
  • 49
1
vote
1 answer

How to do sql injection in seed lab

So I'm relatively new to SQL programming and we are asked in our lab to inject a statement into the employee ID field of a website based off the following code: I think the answer would be to just type 1=1 name = "admin" however this doesn't seem to…
user7971323
1
vote
2 answers

How to make dynamic database selection injection-proof in C# SQL

While trying make my code injection-proof, a previously functional area is now throwing an 'Invalid object name' error: static void TestSQL(ref SqlConnection conn) { var dataTable = new DataTable(); // This line worked //var com = new…
TS-
  • 317
  • 3
  • 15
1
vote
1 answer

Single Quote Escape in PDO Prepared Statement Parameters

So I understand PDO Prepared Statements should protect from SQL injection and ' escapes. But when I attempted the following... if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["id"])) { $id = $_POST["id"]; //$id = "2' AND…
James P
  • 119
  • 1
  • 10
1
vote
1 answer

SQL Injection using PHP multi_query to DROP TABLE

I am trying to drop a table within a database using SQL injection through PHP. The PHP code submits a form to the Database with the following command and multi_query($sql): $sql = "INSERT INTO Student (StdNumber, FName, LName, DOB, PhoneNumber)…
Bartholomas
  • 51
  • 1
  • 10
1
vote
2 answers

Why my query is not working?

my website has PHP command: mysql_query("SELECT * FROM users WHERE id=" . $_GET["id"]) or die(mysql_error()); When I enter URL http://example.com/index.php?id=1;%20UPDATE%20users%20SET%20password=123%20WHERE%20id=1 I get following error: You have…
Poma
  • 8,174
  • 18
  • 82
  • 144
1
vote
0 answers

Avoiding SQL injection in Flask SQL Alchemy

I want to take the username from a login field after submission to query my SQL Alchemy database. In the past I used things like the following: rows = db.execute("SELECT * FROM users WHERE username = :username",…
Luke D
  • 29
  • 1
  • 7
1
vote
2 answers

Oracle regexp_replace to prevent semicolons

Is the following code sufficient to prevent any semicolon from ever remaining in v_str? regexp_replace(v_str, ';') Or is there a way someone can circumvent it? For example the following snippet is not sufficient to block 'DROP' from being…
Stick-With-SQL
  • 213
  • 1
  • 2
  • 6
1
vote
5 answers

Using regexp_replace to prevent SQL injection

We have thousands of oracle packages that contain a map_products procedure. We have a table that stores the list of oracle packages a customer would like that map_products run for. The process that runs them uses dynamic SQL like this: select…
Stick-With-SQL
  • 213
  • 1
  • 2
  • 6
1 2 3
99
100