sql-injection

Lets say on MySQL database (if it matters). No, you will not be completely safe. As others have mentioned, parameterized queries are always the way to go -- no matter how you're accessing the database. It's a bit of an urban legend that with procs you're safe. I think the reason people are under this delusion is because most people assume that you'll call the procs with parameterized queries from your code. But if you don't, if for example you do something like the below, you're wide open: SqlCommand cmd = new SqlCommand("exec @myProc " + paramValue, con); cmd.ExecuteNonQuery(); Because you're

I've tried all manner of Python modules and they either escape too much or in the wrong way. What's the best way you've found to escape quotes (", ') in Python? Dave Webb If it's part of a Database query you should be able to use a Parameterized SQL Statement . As well as escaping your quotes, this will deal with all special characters and will protect you from SQL injection attacks . Use json.dumps . >>> import json >>> print json.dumps('a"bc') "a\"bc" The easy and standard way to escape strings, and convert other objects to programmatic form, is to use the build in repr() function. It

I need to protect an application from SQL injection. Application is connecting to Oracle, using ADO, and search for the username and password to make the authentication. From what I've read until now, the best approach is by using parameters, not assigning the entire SQL as string. Something like this: query.SQL.Text := 'select * from table_name where name=:Name and id=:ID'; query.Prepare; query.ParamByName( 'Name' ).AsString := name; query.ParamByName( 'ID' ).AsInteger := id; query.Open; Also, I'm thinking to verify the input from user, and to delete SQL keywords like delete,insert,select,etc

What are the best ways to protect from MySQL injection? What are weaknesses I should look out for? I know what it is, but I really have no idea how vulnerable I might be. Though I have taken (what I think to be) steps toward protecting myself and my database. Is there any sure-fire way of stopping someone? BTW...I write in PHP:) Use prepared statements instead of mixing the statement and the actual payload data. see http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html PDO::prepare mysqli::prepare You might also be interested in http://shiflett.org/articles/sql-injection