sql-injection

The script is in PHP and as DB I use MySQL. Here is the script itself. $unsafe_variable = $_GET["user-input"]; $sql=sprintf("INSERT INTO table (column) VALUES('%s')",$unsafe_variable); mysql_query($sql); Some people say that if user assigns ;DROP TABLE blah; string to the variable $unsafe_variable it deletes the table. But I tried this example, http://localhost/test.php?user-input=DROP%20TABLE%20my_table But it didn't delete the table but instead inserted a new row (;DROP TABLE blah;) in the table. Could anybody explain me how it is possible to attack this script with sql injections? That

I am tring to make my PHP as secure as possible, and the two main things I am trying to avoid are mySQL Injections Cross-Side Scripting (XSS) This is the script I got against mySQL Injections: function make_safe($variable) { $variable = mysql_real_escape_string(trim($variable)); return $variable; } http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/ Against XSS, I found this: $username = strip_tags($_POST['username']); Now I want to unite the two into a single function. Would this be the best way to do so? : function make_safe($variable) { $variable = strip_tags(mysql_real

So I'm a slightly seasoned php developer and have been 'doin the damn thing' since 2007; however, I am still relatively n00bish when it comes to securing my applications. In the way that I don't really know everything I know I could and should. I have picked up Securing PHP Web Applications and am reading my way through it testing things out along the way. I have some questions for the general SO group that relate to database querying (mainly under mysql): When creating apps that put data to a database is mysql_real_escape_string and general checking (is_numeric etc) on input data enough? What

I feel a little silly for asking this since I seem to be the only person in the world who doesn't get it, but here goes anyway. I'm going to use Python as an example. When I use raw SQL queries (I usually use ORMs) I use parameterisation, like this example using SQLite: Method A: username = "wayne" query_params = (username) cursor.execute("SELECT * FROM mytable WHERE user=?", query_params) I know this works and I know this is the generally recommended way to do it. A SQL injection-vulnerable way to do the same thing would be something like this: Method B: username = "wayne" cursor.execute(

I'm building a Java Web Application using Java EE 6 and JSF-2.0, using the persistence API for all database operations. The back-end is MySQL, but I have used the EntityManager functions and Named Queries in EJB-QL for all operations. Are SQL injection attacks possible in this case? It's only possible if you're inlining user-controlled variables in a SQL/JPQL string like so: String sql = "SELECT u FROM User u WHERE id=" + id; If you aren't doing that and are using parameterized/named queries only, then you're safe. Jigar Joshi Yes, it is possible. It depends on the way you implement. Have a