sql-injection

I'm quite confused now and would like to know, if you could clear things up for me. After the lateste Anon/Lulsec attacks, i was questioning my php/mysql security. So, i thought, how could I protect both, PHP and Mysql. Question: Could anyone explain me, what's best practice to handle PHP and Mysql when it comes to quotes? Especially in forms, I would need some kind of htmlspecialchars in order to protect the html, correct? Can PHP be exploitet at all with a form? Is there any kind of protection needed? Should I use real_escape_string just before a query? Would it be wrong/bad to use it

Before anyone jumps to conclusions as to the nature of this question, I already know about parameterized/prepared statements and use them whenever possible. Unfortunately, it is not always possible to use them when building dynamic queries. I'm interested in working with databases other than MySQL, but I can't easily find good sources as to how to escape strings for each database extension to prevent SQL Injection . The PHP docs list the following vendor specific database extensions. I've boldened the ones I'm most interested in: CUBRID dBase DB++ FrontBase filePro Firebird/InterBase Informix

I'm still learning how to write good queries using ActiveRecord. I'm curious if this query is subject to sql injection because of the way i'm using the date field in the query. Can someone please point out any obvious mistakes or any better ways to write this query? @arrangements_for_month = Arrangement.joins(:timeslot). where("timeslots.timeslot BETWEEN '#{month}' AND '#{month.end_of_month}'", params[:id]). order('location_id') You should just use the preferred way of including parameters to be safe. Check out this guide : Building your own conditions as pure strings can leave you vulnerable

I'm doing an audit of a system, which the developers insist is SQL injection proof. This they achieve by stripping out the single-quotes in the login form - but the code behind is not parameterized; it's still using literal SQL like so: username = username.Replace("'", ""); var sql = "select * from user where username = '" + username + "'"; Is this really secure? Is there another way of inserting a single quote, perhaps by using an escape character? The DB in use is Oracle 10g. Have a look at the testing guide here: http://www.owasp.org/index.php/Main_Page That should give you more devious

I have inherited code that I am fixing security holes up. What's the best practice for handling SQL injections when a stored procedure is called? The code is something like: StringBuilder sql = new StringBuilder(""); sql.Append(string.Format("Sp_MyStoredProc '{0}', {1}, {2}", sessionid, myVar, "0")); using (SqlConnection cn = new SqlConnection(ConfigurationManager.ConnectionStrings["Main"].ToString())) { cn.Open(); using (SqlCommand command = new SqlCommand(sql.ToString(), cn)) { command.CommandType = CommandType.Text; command.CommandTimeout = 10000; returnCode = (string)command.ExecuteScalar(

I have recently taken on a project in which I need to integrate with PHP/SQL Server. I am looking for the quickest and easiest function to prevent SQL injection on SQL Server as I prefer MySQL and do not anticipate many more SQL Server related projects. Is this function sufficient? $someVal = mssql_escape($_POST['someVal']); $query = "INSERT INTO tblName SET field = $someVal"; mssql_execute($query); function mssql_escape($str) { return str_replace("'", "''", $str); } If not, what additional steps should I take? EDIT: I am running on a Linux server - sqlsrv_query() only works if your hosting

I've got a scope in my model : scope :assigned_to_user, ->(user) { task_table = UserTask.table_name joins("INNER JOIN #{task_table} ON #{task_table}.user_id = #{user.id} AND (#{task_table}.type_id = #{table_name}.type_id) AND (#{task_table}.manager_id = #{table_name}.manager_id) ") } So after running brakeman report I get this warning : assigned_to_user | SQL Injection | Possible So I tried the following : scope :assigned_to_user, ->(user) { task_table = UserTask.table_name joins(ActiveRecord::Base::sanitize("INNER JOIN #{task_table} ON #{task_table}.user_id = #{user.id} AND (#{task_table}

The Propel ORM documentation mentions a neat import/export feature using functions like fromArray and fromJSON, that should allow something like this: $foo = new Widget(); $foo->fromArray($_POST); $foo->save(); /* Aaand you're done! */ ...but the documentation doens't mention if using fromArray this way is supposed to be safe, i.e. if fromArray can handle untrusted input. My guess would be that it's all right - the default setters are injection-proof, and the whole deal is based on PDO - but I'd like to be sure. Propel not only uses PDO for the queries, it also utilizes Prepared Statements via