As this document says prepared statements are server side statements like functions or procedures (correct me if I'm wrong).
But I have some trouble finding defined prepared statement on my database. I'm currently working with MySQL Workbench and in the left side pane I can see all my procedures and functions and I can't see any of defined prepared statements here.
So is there any query which I can use to get their names?
The doc says
A prepared statement is specific to the session in which it was created. If you terminate a session without deallocating a previously prepared statement, the server deallocates it automatically.
So Prepared Statements get deleted automtically after the session ends. Besides, a Prepared Statement does not have a name It is just a query string.
Related
I have an insert query that I want to execute using the JavaScript V3 AWS client, against an AWS Aurora MySQL Serverless database. I am using the Data API of the database. I got the #aws-sdk/client-rds-data set up in my code and I can connect and execute arbitrary SQL queries using the ExecuteStatementCommand.
What I would like to know is that how I make SQL prepared statements and execute them. I have an INSERT query whose values are user provided. I cannot just concatenate those values into the SQL query as it would create an SQL injection vulnerability.
Unfortunatelly, I couldn't find how to make prepared statements and execute them in the #aws-sdk/client-rds-data package's documentation.
If somebody knows how to do it, could that someone please explain. Big thanks in advance!
I'm not a user of the AWS SDK for client-rds-data, but I'm inferring the following from the documentation, and my own knowledge of MySQL.
I see that interface ExecuteSqlCommandInput has a property sqlStatements, which allows multiple SQL statements separated by semicolons. This precludes the use of query parameters, because in MySQL you can't use prepare() on a string that includes multiple SQL statements.
Whereas ExecuteStatementCommandInput has a property sql (a single statement) and a property parameters which is an array of scalar parameters (i.e. each scalar corresponds to one parameter placeholder in the sql string). This should allow you to run a parameterized SQL query.
Re your comment: When you said you wanted to use prepared statements to avoid SQL injection vulnerabilities, I assumed you understood how prepared statements protect against those vulnerabilities.
In fact, using prepared statements alone is not a defense. You have to separate dynamic inputs from your SQL query by using query parameters. It just happens that using query parameters requires using prepared statements, so people say "use prepared statements" to defend against SQL injection, when they should say "use query parameters, which implies you must use prepared statements."
Tutorials about using SQL with query parameters are abundant. Here's one for Node.js: https://www.veracode.com/blog/secure-development/how-prevent-sql-injection-nodejs
The calling convention for the AWS SDK is different, but the concept is the same. I have only found reference documentation for AWS SDK, no code examples or task-oriented documentation. This is disappointing but unfortunately typical for AWS.
How can I create a trigger by executing a stored procedure in mysql. If it is not possible please explain the reasons.
Is there any way to create triggers dinamicaly without creating each every time?
If it is not possible please explain the reasons.
MySQL 8.0 Reference Manual / Stored Objects / Restrictions on Stored Programs # SQL Statements Not Permitted in Stored Routines
Generally, statements not permitted in SQL prepared statements are also not permitted in stored programs. For a list of statements supported as prepared statements, see Section 13.5, “Prepared Statements”. Exceptions are SIGNAL, RESIGNAL, and GET DIAGNOSTICS, which are not permissible as prepared statements but are permitted in stored programs.
MySQL 8.0 Reference Manual / SQL Statements / Prepared Statements # SQL Syntax Permitted in Prepared Statements
The complete list of the statements allowed is provided. There is no CREATE TRIGGER statement in this list.
Hence, trigger cannot be created in stored procedure.
But you can create a trigger and influence its execution. For example, you can create some service table in the database, and check the values stored in it in the trigger code - use them as parameters or execute/skip various blocks of code.
This corresponds to the principle "client code should not perform DDL operations" also.
When using <cfquery> and <cfqueryparam> (or queryExecute), ColdFusion (or perhaps the JDBC) will apply its own string replacement against the original SQL query before sending it to the MySQL server.
This is not as efficient as a prepared statement and has a greater potential for SQL injection if the ColdFusion servers escaping implementation is flawed.
Coldfusion debugging and tracing will make it appear as though the query was processed as a prepared statement but MySQL reveals otherwise.
This can be proven by logging sql queries:
set global general_log=1;
And watching the logs,
tail -f /var/lib/mysql/$(uname -n).log
The log should show PREPARE statements and question marks in the queries, but instead the log shows the full query with variables substituted into the question marks.
Is it possible to force ColdFusion to use proper PREPARE statements instead of string replacement when <cfquery> and <cfqueryparam> are used against a MySQL database? If it boils down to the JDBC connection string, what must be changed from the default settings in order to use prepared statements.
I think the answer may exist in here somewhere:
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
https://helpx.adobe.com/coldfusion/configuring-administering/data-source-management-for-coldfusion.html#DataSourceManagementforColdFusion-ConnectingtoMySQL
condition for creating a prepared statement using cfqueryparam?
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-useconfigs.html
https://dev.mysql.com/doc/connector-odbc/en/connector-odbc-configuration-connection-parameters.html
The default behavior of the JDBC driver is to set useServerPrepStmts=false according to https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
Add useServerPrepStmts=true to the JDBC Connection String parameters in the CFIDE (/cfide/administrator/enter.cfm) under Data & Services > Datasources.
I mean for security. Does converting to/from JSON objects help any with MySQLi?
My intention is to use MySQLi statements and send/receive everything as JSON objects (in order to in the future allow Android to use the same calls and queries.)
My only focus on this question is the security side of it. Do I need prepared statements if I'm converting everything to and from JSON objects for a MySQL database.
It doesn't matter what kind of data you are storing in the database. To prevent against SQL injection you need to parameterize all variable input in your SQL. It makes no difference where this data comes from. It doesn't matter what it is.
There is no reason not to use prepared statements. Seriously, not a single reason why you should not use prepared statements 100% of the time, even for constant queries.
Remember though, that prepared statements do not protect against SQL injection. Only the parameters help. Use placeholders in your SQL and bind the data separately. Do this always.
I prefer to use prepared statement but i'm studiyng defense techniques from SQL injection. I've read that stored procedures are used to limit the database privileges allowing only the execution privilege on the procedures but in some cases can be used to avoid sql injection.
Someone can give me an example using mysql?
Stored procedures has absolutely nothing to do with injections.
To protect from injection, you have to format your SQL properly, be it SELECT query, a procedure call or anything. That. Is. All.