sql-injection

2 Questions actually: I know i must use Stored Procedures as much as Possible, but i would like to know the following please. A: Can i get a SQL Injection attack from a SELECT statement such as (Select * from MyTable) ? B: Also, can i get a SQL Injection attack when I use the SQLDataSource in ASP.NET? To answer your questions. A: Yes, you can get an SQL Injection attack from any query that takes parameters (even calling stored procedures if you are not using the provided methods by your platform and doing it via SQL calls). I was asked to provide an example of how an injection can be made even

Web applications on uncompromised computers are vulnerable to XSS,CRSF,sql injection attacks and cookie stealing in unsecure wifi environments. To prevent those security issues there are the folowing remedies sql injection: a good datamapper(like linq-to-sql) does not have the risk of sql injection (am i naïeve to believe this?) CSRF: Every form-post is verified with the <%:Html.AntiForgeryToken() %> (this is a token in a asp.net mvc environment that is stored in a cookie and verified on the server) XSS: every form that is allowed to post html is converted, only bb code is allowed, the rest is

Just last week, I was doing some PHP stuff. I worked a little solution to prevent SQL injections. PHP has been always my man, it has readily 3 solutions for use (maybe more). One is to enable "magic queries" using stripslashes() function. Another one (the recommended) is to use mysql_real_escape_string() function. That simple and my problem is solved. However, things don't seem to be that simple when it comes to JSP. I searched and didn't find any built-in function to strip slashes or do those sort of things (I believe such functionality can be implemented using basic JAVA functions but...).

I found the following in the "e-mail" field of my newsletter subscriber database: ' OR 1=1/* I know it's a SQL injection, but that's it. I've googled it a little bit, but I'm still on clear on what exactly it's trying to achieve. This occurred early Nov, and to my knowledge we had no outages around that time. Can any of you kind souls tell me what this guy was probably trying and do? Is there any way to know whether he achieved what he was trying to do? I know virtually nothing about this and I'm worried. :( 'OR 1=1 is an attempt to make a query succeed no matter what The /* is an attempt to

I'm building a Codeigniter application and I'm trying my hardest to prevent SQL injections. I'm using the Active Record method to construct all my queries. I know Active Record automatically sanitizes the input, but I'm wondering exactly to what extent? Does it simply escape all the quotes, or does it do more? What about preventing obfuscated SQL injections, or other more advanced kinds? Basically, I'm looking for an in-depth explanation of how CI sanitizes data. Anyone know? Exactly like this (for the MySQL driver): Tries mysql_real_escape_string() (this will be the case 99% of the time)

As far as I understand, prepared statements are (mainly) a database feature that allows you to separate parameters from the code that uses such parameters. Example: PREPARE fooplan (int, text, bool, numeric) AS INSERT INTO foo VALUES($1, $2, $3, $4); EXECUTE fooplan(1, 'Hunter Valley', 't', 200.00); A parameterized query substitutes the manual string interpolation, so instead of doing cursor.execute("SELECT FROM tablename WHERE fieldname = %s" % value) we can do cursor.execute("SELECT FROM tablename WHERE fieldname = %s", [value]) Now, it seems that prepared statements are, for the most part,

Spring's JdbcTemplate abstraction provides a lot of functionality, but can it be used in such a way that provides protection from SQL injection attacks? For example, like the kind of protection you would get using PreparedStatement with properly defined parameterization. Donal Fellows It most certainly does. This example is straight from the Spring 3.0 docs (but is the same in 2.*): String lastName = this.jdbcTemplate.queryForObject( "select last_name from t_actor where id = ?", String.class, 1212L); As you can see, it strongly favors prepared statements (which it must be using behind the