Questions tagged [sql-injection]

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

SQL injection exploits a type of computer security vulnerability found in applications with SQL databases. It enables attackers to apply malicious SQL commands to the database via user input. It can for example extract, alter or delete sensitive data.

The vulnerability is present when user input is used directly in the SQL commands, instead of as parameters or properly filtered (also known as "sanitized", e.g. by quoting escape characters). It happens primarily because of poorly written SQL handling functions in client applications.

See famous example - Bobby Tables incident and the community wiki question's answer How can I prevent SQL injection in PHP?

Useful Links

3768 questions

vote

5 answers

is this safe in terms of SQL injection?

Currently getting more and more into MySQL. It's something i haven't been too fussed about but i want to write some scripts with it now. My question is simple, im making a search script and just want to know if my php code can prevent some SQL…

php mysql sql-injection

asked Apr 20 '11 at 20:00

Ricki

vote

2 answers

How to build query in Java to prevent SQL injection using prepared statement

I need to build a query in such a way as to prevent the possibility of an SQL injection attack. I know of two ways to build a query. String query = new StringBuilder("select * from tbl_names where name =…

java jdbc prepared-statement sql-injection

asked Aug 02 '19 at 04:17

Sebin Mathew

vote

1 answer

Does ActiveRecord::ConnectionAdapters::OracleEnhancedAdapter#quote protect against SQL injection?

Does this method protect us against SQL injection? https://www.rubydoc.info/github/rsim/oracle-enhanced/ActiveRecord%2FConnectionAdapters%2FOracleEnhancedAdapter:quote

sql ruby oracle sql-injection

asked Jul 29 '19 at 06:32

Henry Yang

2,283
3
21
38

vote

1 answer

A senior developer on my team tells me that writing SQL commands like this is safe "because it's parameterized", but I don't see how

I'm writing some CRUD functions for media associated with certain products. To delete many records, I've been told to write the query as follows: dataContext.ExecuteCommand("DELETE FROM ProductMedia WHERE ProductId = {0}", productId); He says this…

c# sql linq sql-injection

asked Jul 19 '19 at 09:51

Yahtzei

vote

2 answers

Is using CreateDocumentQuery with predicate SQL Injection safe when using Cosmos DB?

I am using Microsoft.Azure.DocumentDB.Core version 2.1.1 library in .NET application to query data from Cosmos DB. Below is a code that I am using to query the data from Cosmos DB: var query = predicate == null ?…

c# azure azure-devops azure-cosmosdb sql-injection

asked Jul 17 '19 at 12:10

Pradeep Gaba

vote

2 answers

Is this query secured from sql injection?

I Wonder if this sql query is secured from sql-injection, and if it is ok, or i should modify something. I tried to bind the id from the GET and than if everything is ok, i use that actual query with that id. if(isset($_GET['id']) && $_GET['id'] !=…

php mysql sql sql-injection

asked Jul 09 '19 at 16:45

Dominik Balogh

vote

2 answers

Does by type hinting in php (using versions >7.0) the function parameters make the code sql-injection safe?

I have the following piece of code (inherited from previous dev): declare(strict_types=1); function updateWithCurrentTime(PDO $connection, int $id): void{ $date = date('m/d/Y h:i:s a', time()); $query= "INSERT INTO timetable (id,time)…

php pdo sql-injection

asked Jun 27 '19 at 07:29

Dimitrios Desyllas

9,082
15
74
164

vote

1 answer

Is this the right way to parameterize query? Is there any other way?

Well i learned how to parameterize queries in php but i just wanted to ask that is it now totally secure from sql injection or any other type of attacks and if it isnt what betternment can i do to secure it even more?

php html mysql sql-injection

asked Jun 25 '19 at 08:39

Arbaz

vote

0 answers

Table name, column names as argument to stored procedure

I am a newbie to stored procedure and to PL/SQL. There is an existing procedure to copy data from one table to another. I want to rewrite the stored procedure to accept table name and column names as arguments.Did googling on the solution but…

oracle plsql sql-injection dynamic-sql

asked Jun 22 '19 at 05:43

user3673985

vote

0 answers

Preventing SQL Injection - CREATE Sequence Command

I have a very simple stored procedure which generates the next sequence as part of a simple Auto Number solution. The SQL store procedure is CREATE PROCEDURE [dbo].[NextAutoNumber] @Key varchar(100), @UserId varchar(50), @Return bigint…

c# sql-server sql-server-2012 sql-injection

asked Jun 14 '19 at 14:04

Kanini

1,947
6
33
58

vote

1 answer

Need help understanding SQL-injection vulnerability in a restful API

I'm currently working on a Flask restful API that searches for doctors within a certain distance based on area. I would like to know exactly what kind of SQL injection it's vulnerable to, since sqllite3 does not allow multiple commands in one…

python sqlite sql-injection flask-restful

asked Jun 10 '19 at 17:13

Weston Sapusek

vote

1 answer

Can I still use parameters for sql command?

Im trying to make a generic code for building Insert/Update query. So far i have only created the Update query, but i'mhaving doubts considering SQL injection. My primary target is trying to create code to decrease the time of retyping the same…

c# sql parameters sql-injection

asked Jun 07 '19 at 08:20

Roberto

vote

2 answers

Ruby On Rails, SQL and SQL parameters

I have complex SQL query. I need safely to pass parameters to SQL query. How can I avoid sql injections without using activerecord? Where should I keep SQL models/controllers? Does anyone know good practice to work with SQL server without…

sql ruby-on-rails parameters sql-injection

asked Apr 12 '11 at 17:42

Jonas

4,683
4
45
81

vote

1 answer

is it possible to perform a SQL Injection through a XSS vulnerability?

I've tried to perform a SQL Injection pentest on a website but couldn't because the website was not vulnerable. I want to try to perform a SQL Injection pentest through a XSS vulnerability. Is it possible?

security xss sql-injection

asked May 06 '19 at 21:07

Júlio César

vote

2 answers

How is 'Escaping query values' safe in sql? (Or why is it dangerous?) [SQL injection]

I'm following Node.js with sql examples on W3schools. here It said the following code prevents SQL injections. var adr = 'Mountain 21'; var sql = 'SELECT * FROM customers WHERE address = ' + mysql.escape(adr); con.query(sql, function (err, result)…

mysql sql node.js sql-injection

asked Apr 29 '19 at 01:44

Jin Lee

3,194
12
46
86

Prev 1 2 3

…

99 100 Next