Stack Overflow
Stack Overflow

Questions tagged [sql-injection]

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

SQL injection exploits a type of computer security vulnerability found in applications with SQL databases. It enables attackers to apply malicious SQL commands to the database via user input. It can for example extract, alter or delete sensitive data.

The vulnerability is present when user input is used directly in the SQL commands, instead of as parameters or properly filtered (also known as "sanitized", e.g. by quoting escape characters). It happens primarily because of poorly written SQL handling functions in client applications.

See famous example - Bobby Tables incident and the community wiki question's answer How can I prevent SQL injection in PHP?

Useful Links

3768 questions
56
votes
2 answers

How can I add user-supplied input to an SQL statement?

I am trying to create an SQL statement using user-supplied data. I use code similar to this in C#: var sql = "INSERT INTO myTable (myField1, myField2) " + "VALUES ('" + someVariable + "', '" + someTextBox.Text + "');"; var cmd = new…
Heinzi
  • 167,459
  • 57
  • 363
  • 519
56
votes
3 answers

Parameterized Queries with LIKE and IN conditions

Parameterized Queries in .Net always look like this in the examples: SqlCommand comm = new SqlCommand(@" SELECT * FROM Products WHERE Category_ID = @categoryid ", conn); comm.Parameters.Add("@categoryid",…
Tom Ritter
  • 99,986
  • 30
  • 138
  • 174
50
votes
7 answers

What is the PDO equivalent of function mysql_real_escape_string?

I am modifying my code from using mysql_* to PDO. In my code I had mysql_real_escape_string(). What is the equivalent of this in PDO?
REJOLA
  • 573
  • 1
  • 4
  • 7
48
votes
4 answers

Are SQL injection attacks possible in JPA?

I'm building a Java Web Application using Java EE 6 and JSF-2.0, using the persistence API for all database operations. The back-end is MySQL, but I have used the EntityManager functions and Named Queries in EJB-QL for all operations. Are SQL…
Akshay
  • 1,606
  • 3
  • 17
  • 32
46
votes
5 answers

Can someone explain this SQL injection attack to me?

I wanted to post this here as it is very much coding related and was something I had to clean up this week on one of my company's old ASP (classic) sites. We got hit with the SQL injection attack that was run just a few days ago, but I'm scratching…
Jakub
  • 20,418
  • 8
  • 65
  • 92
46
votes
12 answers

Penetration testing tools

We have hundreds of websites which were developed in asp, .net and java and we are paying lot of money for an external agency to do a penetration testing for our sites to check for security loopholes. Are there any (good) software (paid or free) to…
Shoban
  • 22,920
  • 8
  • 63
  • 107
44
votes
9 answers

A good way to escape quotes in a database query string?

I've tried all manner of Python modules and they either escape too much or in the wrong way. What's the best way you've found to escape quotes (", ') in Python?
Jonathan Prior
  • 6,114
  • 7
  • 29
  • 26
43
votes
5 answers

Does using parameterized SqlCommand make my program immune to SQL injection?

I'm aware that SQL injection is rather dangerous. Now in my C# code I compose parameterized queries with SqlCommand class: SqlCommand command = ...; command.CommandText = "SELECT * FROM Jobs WHERE JobId = @JobId;"; command.Parameters.Add("@JobId",…
sharptooth
  • 167,383
  • 100
  • 513
  • 979
43
votes
7 answers

How to avoid SQL injection in CodeIgniter?

Is there any method to set in config file to avoid SQL injection? I am using this code for selecting values: $this->db->query("SELECT * FROM tablename WHERE var='$val1'"); And this for inserting values: $this->db->query("INSERT INTO tablename…
user667030
  • 495
  • 2
  • 8
  • 9
43
votes
4 answers

how safe are PDO prepared statements

Started using PDO prepared statements not too long ago, and, as i understand, it does all the escaping/security for you. for example, assuming $_POST['title'] is a form field. $title = $_POST['title']; $query = "insert into blog(userID, title)…
sqram
  • 7,069
  • 8
  • 48
  • 66
41
votes
4 answers

Does the preparedStatement avoid SQL injection?

I have read and tried to inject vulnerable sql queries to my application. It is not safe enough. I am simply using the Statement Connection for database validations and other insertion operations. Is the preparedStatements safe? and moreover will…
Mohamed Saligh
  • 12,029
  • 19
  • 65
  • 84
40
votes
5 answers

How does SQL query parameterisation work?

I feel a little silly for asking this since I seem to be the only person in the world who doesn't get it, but here goes anyway. I'm going to use Python as an example. When I use raw SQL queries (I usually use ORMs) I use parameterisation, like…
Wayne Koorts
  • 10,861
  • 13
  • 46
  • 72
38
votes
4 answers

Does mysql_real_escape_string() FULLY protect against SQL injection?

On http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/?akst_action=share-this , there is a section that claims you can bypass mysql_real_escape_string with certain Asian character encodings Bypassing mysql_real_escape_string()…
LM.
  • 1,625
  • 3
  • 16
  • 23
37
votes
1 answer

Does Spring JDBC provide any protection from SQL injection attacks?

Spring's JdbcTemplate abstraction provides a lot of functionality, but can it be used in such a way that provides protection from SQL injection attacks? For example, like the kind of protection you would get using PreparedStatement with properly…
brabster
  • 42,504
  • 27
  • 146
  • 186
36
votes
20 answers

Is SQL injection a risk today?

I've been reading about SQL injection attacks and how to avoid them, although I can never seem to make the "awful" examples given work, e.g. see this post. I created a PHP file and a table in the database, had a value passed through $_GET and tried…
Richard
  • 1,259
  • 1
  • 12
  • 17
1 2
3
99 100