sql-injection

What is the best way to escape strings for sql inserts, updates? I want to allow special characters including ' and ". Is the best way to search and replace each string before I use it in an insert statement? Thanks Duplicate of: Best way to defend against mysql injection and cross site scripting You should be using parameterized queries (so by extension, a DB interface library that supports parameterized queries) so that SQL injection can't happen. If you're talking about data values for your fields, then the best way is to use mysql_real_escape_string() . (Some people like mysqli ; can't say

I'm a big fan of using named parameters instead of string-based parameter injection. It's type-safe and safe against most forms of SQL injection. In old ADO.NET, I would create a SqlCommand object and a bunch of SqlParameters for my query. var sSQL = "select * from Users where Name = @Name"; var cmd = new SqlCommand(conn, sSQL); cmd.Parameters.AddWithValue("@Name", "Bob"); cmd.ExecuteReader(); Now, in Entity Framework, it appears (on this link) to have regressed to a simple String.Format statement and string injection again: (simplified for discussion) MyRepository.Users.SqlQuery("Select *

I do understand that the prepared statements is the ultimate way to seek protection against the SQL injection. However, they provide coverage in a limited fashion; for example, in cases where I let the user to decide how the order by operation to be ( i.e, is it ASC or DESC? etc ), I get no coverage there with the prepared statements. I understand that I can map the user input to a pre-defined white list for that. But, this is only possible when a whitelist can be created or guessed thoroughly beforehand. For example, in the cases I mention above ( the ASC, or DESC ), this can easily be mapped

For the sake of argument, let's just say I have to create a local variable containing a SQL query that has an INSERT: DECLARE @insert NVARCHAR(MAX) SELECT @insert = 'INSERT INTO [dbo].[' + @table + '] VALUES... EXEC (@insert) This INSERT is also going to contain a column value: DECLARE @insert NVARCHAR(MAX) SELECT @insert = 'INSERT INTO [dbo].[' + @table + '] VALUES (N''' + @message + ''')' EXEC (@insert) Now, I'm obviously concerned about an injection attack, and would like to ensure that @message's value can't make @insert's value malicious or malformed as a query to EXEC. This brings us to

I got bitten my first sql escaping error (it was long overdue) when I tried to execute the PostgreSQL query below with a value containing an apostrophe eg. O'Brien , using FreePascal and Lazarus SQL.Add(format('select * from zones where upper(zn_name) >= %s and upper(zn_name) < %s order by zn_name',[sQuote(zoneMin), sQuote(zoneMax)])); In the query above SQuote is a function that wraps a string in single quotes. Is there some standard library for sanitizing SQL query parameters for Lazarus/FreePascal or Delphi for that matter? Your application is vulnerable to a serious class of security

These functions give access to specialty functions (SqlClient) in SQL. For example 'like' or 'between'. And they also give a nicer common abstraction layer for them. Not to be confused with stored procedure(s) "functions" which is the topic of this other question . My question that I can't seem to find a full answer for is. Are they safe to use, or am I opening the system to a SQL injection attack ? I always use bound variables when writing regular SqlCommands. But in moving to Entity Framework. There is less control over the SQL statements. I don't mind it, but I can't help worrying when I

is it safe to use cast (int) instead of escaping? class opinion { function loadbyopinionid($opinionid){ $opinionid=(int)$opinionid; mysql_query("select * from fe_opinion where opinionid=$opinionid"); //more code } } mysql_real_scape_string is for STRINGS . it will not make an integer 'safe' for use. e.g. $safe = mysql_real_escape_string($_GET['page']); will do NOTHING where $_GET['page'] = "0 = 0"; because there's no SQL metacharacters in there. your query would end up something like SELECT ... WHERE somefield = 0 = 0 However, doing intval() will convert that 0=0 into a plain 0 . Yes it is

Can I avoid all SQL-injection attacks by using parameters? And don't worry about any thing in SQL injection in this case? Or are there some types of these attacks which require more care on the part of the programmer? No, you can't avoid all SQL injection attacks by using parameters. Dynamic SQL is the real issue, and this can occur in stored procedures as well as in your application code. E.g., this is prone to a SQL injection attack: your parameterized query passes a username to a stored procedure, and within the stored procedure the parameter is concatenated to a SQL command and then