sql-injection

For some sql statements I can't use a prepared statment, for instance: SELECT MAX(AGE) FROM ? For instance when I want to vary the table. Is there a utility that sanitizes sql in Java? There is one in ruby. Bill Karwin Right, prepared statement query parameters can be used only where you would use a single literal value . You can't use a parameter for a table name, a column name, a list of values, or any other SQL syntax. So you have to interpolate your application variable into the SQL string and quote the string appropriately. Do use quoting to delimit your table name identifier, and escape

I've been reading about SQL injection attacks and how to avoid them, although I can never seem to make the "awful" examples given work, e.g. see this post . I created a PHP file and a table in the database, had a value passed through $_GET and tried to delete the table by doing bob'); drop table students; -- and it didn't work. PHP automatically escapes the \' and the query has an error, no harm done. Same issue when trying to replicate login "attacks" like AND WHERE 1=1 etc. example code: <?php $id = $_GET['id']; $sql = "INSERT INTO Users (Username) VALUES ($id)"; echo $sql; mysql_query($sql)

In Rails, when I want to find by a user given value and avoid SQL injection (escape apostrophes and the like) I can do something like this: Post.all(:conditions => ['title = ?', params[:title]]) I know that an unsafe way of doing this (possible SQL injection) is this: Post.all(:conditions => "title = #{params[:title]}") My question is, does the following method prevent SQL injection or not? Post.all(:conditions => {:title => params[:title]}) Yes, it does. Only the second one is dangerous. edthix One good reference from the RoR Guides. +1 @fphilipe and @yuval Check this 5 min video from

Some doubts regarding Codeigniter and its Input handling capabilities. Some may be a little weird but they are doubts none-the-less. If I use the Active Record Class functions in CodeIgniter, is my input prevented against SQL injection? I read somewhere that it does, but I don't understand it how? or why? Also does xssclean deal with SQL injection in any way? is my input prevented against SQL injection? Not exactly ‘automatically’, but it does provide parameterised queries. CodeIgniter or no, you should use parameterised queries in preference to query string hacking whenever possible. $bof= "a

Recently my site was hacked via SQL injection. The hacker used the following query to get my DB name. I cannot understand this query they wrote. Query: =-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-- After the query was ran it showed an integer result, something like " 74545883 ". Can you explain how the query works? sethvargo It looks like an overflow attack . They UNION -ed with your existing query. replacing all your %20 with (space) since its url-encoded yields: =-999.9